For those of you dealing with SSL mail issues (specifically with certificates), this might help you. My Issue I use Gmail to send emails via an email account hosted on my Ubuntu server. However, in order to do this securely, you must have an SSL mail certificate on your server. I used aaPanel to do this, and in the past it worked fine. But then it stopped working. When I investigated, I discovered that Gmail was not seeing the correct SSL mail certificate. Even though I used aaPanel to set this correctly, it wasn't showing the correct SSL. I verified this by running this command: openssl s_client -starttls smtp -showcerts -connect domain.com:587 It kept showing me incorrect (old) certificate information. The Problem What I discovered after doing a lot of investigation is that aaPanel only allows for one mail certificate per server. Although it allows you to set multiple SSL mail certificates for various hosted domains, only one can be used at a time. What I found is that aaPanel puts the server's SSL mail certificate in this directory: /www/server/panel/plugin/mail_sys/cert/ Although you'll see subdirectories for the various domains that you created an SSL mail certificate for, the only one that is referenced by outside sources (i.e. Gmail) is the certificate in that "cert" folder. You should see two files in there: fullchain.pem privkey.pem In my case, those certificates were not only expired but also not the correct ones. The Solution It's pretty simple. Delete (or backup) the fullchain.pem and privkey.pem files in the "cert" directory, and replace them with the same named files from the subdirectory for the domain you want to use as the secure email domain for the mail server. For example, let's say you created SSL mail certificates for two domains in aaPanel (domain1.com and domain2.com). And you want the mail certificate for the entire server to be associated with domain1.com. Simply copy the fullchain.pem and privkey.pem files from the domain1.com subfolder into the "/www/server/panel/plugin/mail_sys/cert/" directory. And that should do it. For me, once I did this, I was able to successfully set / verify SMTP Server, Username and Password details for the email address in Gmail so that I can securely send emails via Gmail via port 587. I hope this post helps others with their issues. And I hope the aaPanel team will address the issue and get it fixed up.

hello,mate I just tried your way. but it didn't work.

i have same problem...I see that they updated the email serve mass cool... version 70.7, but they didn't fix the basics ssl long time have this fix, i cant configure smtp external fix ssl...Hestia panel not have this problem basic..=D

SSL Mail Certificate - Issue & Solution

aaPanel_Kern

Hello, thank you for your feedback, it has been reported to development

aaP_brunoviver10

aaP_ilkaykaradam

Is there any update about the bug? 16.09.2025 and i got same issue...

aaPanel_Kern

Hello, please check the postfix configuration, usually at the end
Also check whether the deployed SSL certificate matches the used domain

aaP_ilkaykaradam

aaPanel_Kern system says 61 days long to end cert but openssl s_client -starttls smtp -showcerts -connect yyy.com.tr:465

Start Time: 1758029749
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0

I don t know how it happend but it s look like pain my ...

aaPanel_Kern

Hello, is it normal to try to save SSL again?

aaP_ilkaykaradam

aaPanel_Kern Yeah i change the config with default conf ssl looks ok but now i ve sending mail issue (: I dont know whats happening but everything working fine, i m getting e-mails but when i trying to send mail giving connection time out ):

aaPanel_Kern

Hello, please check the mail server log to check what is the reason for the connection timeout

aaP_ilkaykaradam

I replace postfix conf one of my old backup and now i ve different error: The reported error was “Peer failed to perform TLS handshake: Error receiving data: Connection reset by peer”. and looks like there s no vmail_ssl.mapsmtpd_tls_cert_file.db. how can i create the new one or can i?

aaP_ilkaykaradam

Sep 17 11:45:42 srv postfix/smtpd[82882]: warning: error opening chain file: /etc/ssl/private/ssl-cert-snakeoil.key: No such file or directory
Sep 17 11:45:42 srv postfix/smtpd[82879]: connect from unknown[50.208.98.201]
Sep 17 11:45:42 srv postfix/smtpd[82879]: warning: SASL: Connect to private/auth failed: No such file or directory
Sep 17 11:45:42 srv postfix/smtpd[82879]: fatal: no SASL authentication mechanisms
Sep 17 11:45:42 srv postfix/smtpd[82883]: warning: /etc/postfix/main.cf, line 43: overriding earlier entry: mynetworks=10.40.80.0/24
Sep 17 11:45:42 srv postfix/smtpd[82883]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy parameters will be ignored
Sep 17 11:45:42 srv postfix/smtpd[82883]: warning: error opening chain file: /etc/ssl/private/ssl-cert-snakeoil.key: No such file or directory
Sep 17 11:45:42 srv postfix/smtpd[82884]: warning: /etc/postfix/main.cf, line 43: overriding earlier entry: mynetworks=10.40.80.0/24
Sep 17 11:45:42 srv postfix/smtpd[82884]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file or smtpd_tls_dcert_file are non-empty; the legacy parameters will be ignored
Sep 17 11:45:42 srv postfix/smtpd[82881]: connect from unknown[66.132.153.127]
Sep 17 11:45:42 srv postfix/smtpd[82881]: warning: SASL: Connect to private/auth failed: No such file or directory
Sep 17 11:45:42 srv postfix/smtpd[82881]: fatal: no SASL authentication mechanisms
Sep 17 11:45:42 srv postfix/smtpd[82884]: warning: error opening chain file: /etc/ssl/private/ssl-cert-snakeoil.key: No such file or directory
Sep 17 11:45:42 srv postfix/smtpd[82885]: warning: /etc/postfix/main.cf, line 43: overriding earlier entry: mynetworks=10.40.80.0/24
Sep 17 11:45:42 srv postfix/smtpd[82885]: warning: Both smtpd_tls_chain_files and one or more of the legacy smtpd_tls_cert_file, smtpd_tls_eccert_file

aaPanel_Kern

This file will be automatically generated when multiple domain names are deployed

aaP_ilkaykaradam

Which file ? Sankeoil? There s no snakeoil cert

aaPanel_Kern

Hi, can you give us your aapanel information? The server makes a snapshot backup first, if possible, please send it to kern@aapanel.com.
It is recommended to fill in the following
Post link:
SSH IP address, account password and port:
aapanel login link address and account password:
Detailed problem description:

No post link will not be able to know which user's information is, and the problem will not be processed

aaP_ilkaykaradam

aaP_sophiajons8

I actually ran into the exact same issue recently, so here’s what worked for me:

The problem was that aaPanel only uses one global mail SSL certificate for the whole server. Even though I had multiple SSL mail certs created for different domains, Gmail was still seeing the old/expired one from the main /www/server/panel/plugin/mail_sys/cert/ folder.

What I did was:

Backed up the fullchain.pem and privkey.pem in /www/server/panel/plugin/mail_sys/cert/.

Copied the same files from the subfolder of the domain I actually wanted to use (inside the mail_sys folder).

Restarted the mail service.

After that, Gmail started recognizing the correct SSL certificate and I was able to send mail over port 587 without any errors.

Hopefully this saves someone a few hours of debugging — it’s a simple fix once you know where to look!