'hostname "mail.domain.tld" does not match the server certificate' :: SNI support? & how to query cert from Discourse container?

I’m getting some kind of a certificate error when accessing the pop3 mail server from another server on our domain. The resultant message is: Job exception: hostname "mail.domain.tld" does not match the server certificate, but does not give the actual hostname mismatch information within the backtrace.

First, SNI is required in this situation and a sysadmin has suggested that Discourse may not be configured properly to use SNI and thus the error message. The certs have tested out and seem to have no problems.

Second, just to make sure I’m on the same page with debug: How should access POP3 (or the cert request and comparison) from within the Discourse container so as to actually get this data that is being compared to indicated a certificate mismatch? I’d like to do a sanity check here to be sure I’m comparing proverbial apples to apples…

3 Likes

I did check in to see if SNI could be disabled on the sever and the reply was that it’s not possible. The sysadmin said:

Please note that there is no supported mechanism for disabling mail SNI, so you will need to work with the Discourse developers to support it. These pages may be of assistance to you in doing that:

ruby - OpenSSL::SSL::SSLContext SNI servername_cb Not Working - Stack Overflow
ruby - OpenSSL::X509::Certificate Showing Certificate for Wrong Domain - Stack Overflow

My recommendation would be to use Straightforward direct-delivery incoming mail rather than pop3.

2 Likes

I’m really glad you pointed that out, I’d not seen this option anywhere and wish I’d known about the this from the get-go. Might be a good idea to add this info to the installation instructions or perhaps even mention it within the app.yaml as something to consider when setting up the email section.

I did ask for some input there as well for some additional clarity given my scenario. Please feel free to chime in.

It’s actually linked in the top post of Set up Reply via Email Support:

:bell: Alternately, if you aren’t comfortable using GMail for this, you can set up your own incoming email service using Straightforward direct-delivery incoming mail

Your original post doesn’t specify which documentation you were following to go down the POP3 rabbit hole, but assuming you were looking at the official guide linked above it has been linked in there since March 28.

I’ve responded to your reply in the other topic to suggest how to structure addresses/domains when using this.

1 Like

I’ll throw my hat into the ring and I also kindly request SNI support. Postfix and Dovecot both added support for them over the last year and many people like myself have already made the switch-over. Usually, Discourse is already on this sort of stuff so I was quite frankly surprised to see its omission on the roadmap.

Just checking in to see if SNI is at all on the table for future development. Safari and Outlook both support SNI and have done so for almost five years now. It would greatly simplify my server configuration for emails if I could just use my SNI instead of pointing to a single email server.