STARTTLS failure when setting up emails through Zoho CRM

Hi there,

I’m trying to set up an IMAP email address on Zoho CRM, but I keep getting a “STARTTLS failure”. This used to be a really simple task, but now the error keeps occurring.

After ensuring all the details I was using were correct, I first asked Zoho and they said my ports were closed and to contact my host to open them. I then went to my host and they said the ports in question were in fact open.

I read elsewhere that the issue can occur due to a mismatch in SSL certificates, so I tested the domain name (itcareerswitch.co.uk) and mail server sub domain mail.itcareerswitch.co.uk here: https://ssl-tools.net/mailservers/mail.itcareerswitch.co.uk

I sent those result to my host and they said that I needed to contact Cloudflare to gain “the SSL in .pfx format with password so we can try to Import on the server.”

Can anyone advise on how I would go about doing this (my knowledge is extremely limited in this area), or any other ideas of how I might resolve the error?

Many thanks.

You’re not able to export the private keys (.pfx) of certificates managed by Cloudflare - this includes Universal SSL and Advanced Certificate Manager.

https://mail.itcareerswitch.co.uk isn’t going through Cloudflare at all and goes to a Plesk page with no valid certificate.

Thanks for the quick response KianNH.

Do you think there could be an issue because itcareerswitch.co.uk and .itcareerswitch.co.uk use the Cloudflare SSL though? And there’s some sort of mismatch between those and mail.itcareerswitch.co.uk?

Sorry if that’s a really stupid question, or doesn’t make sense… I’m learning as I go a bit here.

I just read on this site Smtp: starttls failed - Here's how to fix it that the error can arise because of a “certificate mismatch”.

Thanks again.

mail.itcareerswitch.co.uk will use the same certificate as itcareerswitch.co.uk - since the certificate used on itcareerswitch.co.uk covers *.itcareerswitch.co.uk as well.

Are you saying that you had issues when the mail record in the dashboard had an orange cloud (was proxied through Cloudflare)?

Edit: as an aside, Cloudflare only proxies HTTP & HTTPS traffic. If mail.itcareerswitch.co.uk is your mailserver, IMAP/POP3/SMTP ports will not be available.

I have mail.itcareerswitch.co.uk set to ‘DNS only’ in the Cloudflare DNS settings page.

My email host said the following after I provided them with the SSL results, so I’m getting a bit confused as to who I need to speak to in regards to getting the issue resolved…

“If you have using any wildcard SSL on your server then kindly provide us in PFX format so we can install on it mail server.”

"As i can see that you have purchased the SSL certificate from the cloud fare . I request to you please contact to cloud fare and just confirm you have purchase the SSL for domains as Wildcard SSL or normal SSL.

If they updated as wildcard then please request to them provide the SSL for .pfx format with password so we can try to Import on the server."

Cloudflare’s SSL is free & managed transparently (from the user, i.e you) - but only for proxied records.

Since the mail.itcareerswitch.co.uk is DNS only, there’ll be no SSL from Cloudflare on that record. If you wanted SSL, you’d need to proxy that record and then provide your host with an ‘origin certificate’ that you generate in the dashboard. https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

But of course, this depends on what traffic mail.itcareerswitch.co.uk needs to be able to receive.

as an aside, Cloudflare only proxies HTTP & HTTPS traffic. If mail.itcareerswitch.co.uk is your mailserver, IMAP/POP3/SMTP ports will not be available.

Thanks again KianNH, I really appreciate you taking the time to help.

mail.itcareerswitch.co.uk is the mailserver and is just used for the email hosting, so would you recommend that I should “proxy that record and then provide my host with an ‘origin certificate’ that I generate in the dashboard”? or do you think I should just go back to them and say that Cloudflare doesn’t proxy mail.itcareerswitch.co.uk?

If you do proxy that record, it can only receive HTTP & HTTPS traffic.

If it’s your actual mailserver, which needs to talk over SMTP/IMAP/POP3, look at Getting Started - Let's Encrypt to get a certificate onto it (without using Cloudflare) since there isn’t currently one (or if it’s hosted by the people you’ve been emailing, tell them that Cloudflare isn’t involved for that subdomain and get them to make one).

Ok, thank you.

It is indeed the mailserver and it’s hosted by the host I’ve been emailing.

So, last question before I go back to them… you think it’s the fact that mail.itcareerswitch.co.uk doesn’t have an SSL certificate that is causing the “STARTTLS failure” on Zoho?

Yes - visit https://mail.itcareerswitch.co.uk/ in a browser and you’ll get a certificate error. The current self-signed (and expired) certificate needs to be replaced with a trusted certificate.

➜  ~ curl https://mail.itcareerswitch.co.uk/ -vvv
*   Trying 185.4.176.93:443...
* Connected to mail.itcareerswitch.co.uk (185.4.176.93) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=xenodochial-lumiere.185-4-176-93.plesk.page
*  start date: Apr  4 06:38:15 2022 GMT
*  expire date: Jul  3 06:38:14 2022 GMT
*  subjectAltName does not match mail.itcareerswitch.co.uk
* SSL: no alternative certificate subject name matches target host name 'mail.itcareerswitch.co.uk'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'mail.itcareerswitch.co.uk'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Great, thanks so much for the advice.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.