I tested to a new server with fresh installation and I have the same result. I have all mail ports open and 465 and 993 not connected from thunderbird and other smtp testers. Maybe its a bug in version 3.3, OpenSSL may not working correct. I install DNS manager, same.
Problem with SSL on mail server
Jimmy how do you make the connection? TLS? Are you accepting all certificates? Can you provide a DNS Inspection over your domain name were you are facing this problem?
If you can create a report and paste the result here we would have more data, just to check if your DNS records are correct or not.
- Please update the mail server to 4.0
- To use TLS connection, you need to configure the certificate for the domain name first
All works ok with DNS. NS are in CloudFlare so I have 97.
- Edited
I do it but I have this error on rainloop:
IMAPs port (993) works ok.
Certificate is Let's encrypt
STARTTLS works ok with the lets encrypt SSL but SSL/TLS option not.
Jimmy
Could you tell me what email client was you use?
aaPanel_Jose
Sure, Rainloop. Also I use Thunderbird and I have errors too.
In Thunderbird.
- Edited
In Rainloop all ports works except 465 for SMTP.
For Incoming none (143), STARTTLS (143), SSL/TLS (993) : Works all
For outgoing: none (25), STARTTLS (587) : works
SSL/TLS (465) not work.
Jimmy
I have searched for a long time and haven't found the problem~ Have you ever successfully used this connection method on other self-built mail servers?
aaPanel_Jose
In version 3.2 I work with SSL/TLS (465 & 993). I upgrade to 3.3 and now 4.0 and 465 not working. In 3.2 I had a SSL (lets encrypt) on main domain and in mail subdomain and in Rainloop works fine. I will do a fresh install again to another server to check again mail server.
Jimmy
Instead of Autodetect, please select Account Details. You should avoid autodetect settings always.
- Edited
I could get it work with the following :
- my mail server is : mail.domain.com PTR: mail.domain.com
- users are register with domain : domain.com
- I created a website mail.domain.com to automatically generated SSL certificate
- once complited it generate :
1 key 1 certificate (not full chain)
then I would go to https://whatsmychaincert.com to check my certificate,
I copy past website certificate and generate full chain with root cert
I get the generated valid cert and added to my postfix config
- finally i test with openssl
openssl s_client -connect mail.domain.com:465 openssl s_client -connect mail.domain.com:993 openssl s_client -starttls smtp -connect mail.domain.com:587
and all test get me to the right point, and my email client works fine
Update 
let'sencrypt store date in /www/server/panel/vhost/letsencrypt/domain.com/fullchain.pem
TL;DR
just put this information on postfix configuration:
it will be always generated automatically 1 month before expire date, thus postfix will always look for the right certificate.
never use email system in aapanel its a nightmare and if you have a good traffic its not recommend to host mail on same server
you can't find free plugins, panels to do so ...
aapanel is evolving i guess
Are these instructions current?
I'm using Mail Server 4.5 and external clients like Gmail don't recognize SSL
Thanks for your work
I'm also facing the same problem. Gmail highlighting SSL issues.
I add the TLS parameters manually, but the cert does not generate automatically
Any update on this? I'm having the same issue. When trying to use Gmail to send emails, it's failing.
When I attempt to update the mail settings in Gmail, it's reporting a "TLS Negotiation failed, the certificate doesn't match the host., code: 0"
I've attempted to do some debugging. When I issue this command in a Linux command prompt, it's showing me old certificate details:
openssl s_client -starttls smtp -showcerts -connect domain.com:587
I've even completely deleted the SSL certificate for the domain in aaPanel, but it doesn't seem to actually delete it.