iRedMail: Going to spam when sending from Postfix to Hotmail and Can't use port 465

Question

I installed postfix and dovecot using iRedmail. During the installation, i supplied iRedmail with server.mailtuner.com as the hostname for the SMTP server.

But! My Let's Encrypt SSL certificate is signed for mailtuner.com. My main root mailserver user is postmaster@mailtuner.com.

My reverse DNS: server.mailtuner.com is pointing to 45.56.86.66

SPF: v=spf1 ip4:45.56.86.66 ~all

DMARC: v=DMARC1; p=none; rua=mailto:postmaster@mailtuner.com

CNAME: server.mailtuner.com aliases to mailtuner.com

A records: "" and "www" points to 45.56.86.66

MX Records:

            mailtuner.com => preference: 0
            server.mailtuner.com => preference: 10
            mail.mailtuner.com => preference: 11

My DKIM is also correctly setup by iRedMail and i also created a txt record for it.

i got 10/10 in mailtester: https://www.mail-tester.com/web-acvkq

Problem! Emails sent from postmaster@mailtuner.com to hotmail are going to junk.

When trying to use nodemailer and set the following option headers:

    host: 'server.mailtuner.com',
    port: 587,
    secure: false, // secure:true for port 465, secure:false for port 587
    auth: {
        user: 'postmaster@mailtuner.com',
        pass: 'XXXXX'
    }
});

I get this error:

{ Error: Hostname/IP doesn't match certificate's altnames: "Host: server.mailtuner.com. is not in the cert's altnames: DNS:mailtuner.com"
    at Object.checkServerIdentity (tls.js:222:17)
    at TLSSocket.<anonymous> (_tls_wrap.js:1110:29)
    at emitNone (events.js:105:13)
    at TLSSocket.emit (events.js:207:7)
    at TLSSocket._finishInit (_tls_wrap.js:638:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:468:38)
  reason: 'Host: server.mailtuner.com. is not in the cert\'s altnames: DNS:mailtuner.com',
  host: 'server.mailtuner.com',
  cert: 
   { subject: { CN: 'mailtuner.com' },
     issuer: 
      { C: 'US',
        O: 'Let\'s Encrypt',
        CN: 'Let\'s Encrypt Authority X3' },
     subjectaltname: 'DNS:mailtuner.com',
     infoAccess: { 'OCSP - URI': [Array], 'CA Issuers - URI': [Array] },
     modulus: 'BD86F1B4E38F01274A16BC128B0B37E265E06A82BB2470BE54EFAF0BD97BD6C9286F8E339C885A675C0E852497E4AD44DDF1F920EA7B7D3C2EC2F9B16CE45A8A67525FAC67F9B226E62F56DBE0B1E0DAD272D200434F54FE680B91A3F5FEF2CB2344FCAAF795BA9CDF6B4917492169FAB56F4F20AC8D0C45A65A8CA8456BAD8B015FBA6BF121F5808B320A0274388528EF0891DFE15850404917802911C3DF9BD6EAA5E457B214AAA8EDFE1A954E0D0272A1B8F01FBD3031262FE3A78806BDE2179E7FC45FF3F9DE398C360961733FC47898F8521F2876F73746B3CB707BDB95BAE8C38F905241E2BF2FA36053BB85E936CF2DB0CB4B9E06A8704E9B19B6262B',
     exponent: '0x10001',
     valid_from: 'Nov  7 21:35:01 2017 GMT',
     valid_to: 'Feb  5 21:35:01 2018 GMT',
     fingerprint: '96:76:5D:D9:1C:D4:CD:50:75:60:D5:52:45:58:AB:5B:BD:D5:CB:F3',
     ext_key_usage: [ '1.3.6.1.5.5.7.3.1', '1.3.6.1.5.5.7.3.2' ],
     serialNumber: '0314E704EE42C2C26F7028950BAA826401A4',
     raw: <Buffer 30 82 04 fd 30 82 03 e5 a0 03 02 01 02 02 12 03 14 e7 04 ee 42 c2 c2 6f 70 28 95 0b aa 82 64 01 a4 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 4a ... > },
  code: 'ESOCKET',
  command: 'CONN' }

Changing to hostname in the header nodemailer option to mailtuner.com instead of server.mailtuner.com kind of hide the issue!

But the problem remains! My emails are sent to **junk** and i can't use port 465 to send over SSL.

Solution?: Should i change the name in the Let's Encrypt certificate to server.mailtuner.com? And how to do that?

Should i also add a domain to iRedmail: server.mailtuner.com

and then create another user postmaster@server.mailtuner.com

and then add this user to my DMARC: v=DMARC1; p=none; rua=mailto:postmaster@mailtuner.com, postmaster@server.mailtuner.com

Answer 1

Get a new letsencrypt certificate, and specify mailtuner.com, server.mailtuner.com and mail.mailtuner.com as the hostnames for it - ie,

certbot certonly -d mailtuner.com -d mail.mailtuner.com -d server.mailtuner.com

Then restart postfix adn the other services that use SSL on that system

Answer 2

It seems you have a single server 45.56.86.66 with all the different names @, mail & server. Yesterday you had problems with the PTR record, now it's with the certificate.

1. Pick a single hostname for your service and use it everywhere. You could use mailtuner.com without a subdomain, as it's already in your certificate and was your PTR at least yesterday. That removes all mismatches.

2. More than one MX is for resiliency i.e. secondary mail servers allowing you to receive mail when the primary mail server as a final destination is down. Currently you have three MX records pointing eventually to the same IP address. That doesn't add anything but complexity.