Mailcow-dockerized: iOS exhange login certificate

Check your reverse proxy (sounds like you use one) and your DNS.

This is neither a bug report nor a feature request, please don't just remove the issue template without reading it.

sorry didnt see a template. So when I add an 'exchange' account to my iOS device where my mailcow server (mail.host.com) is a different server to my web server (host.com), that should be able to find the right certs? only using stock docker image basically ?? trying to iron out these settings before production use :)

I don't understand. Do you use a reverse proxy?

mailcow would not show "domain.tld" as certificate. Check your DNS and probably reverse proxy config.

no reverse proxy, just stock mailcow docker on a new ubuntu image.

When I go to add mail account on my iPhone, then select Exchange, then enter an email address, then push next, I get the popup "sign into your "domainA.tld" Exchange account using microsoft?" I select "Enter Manually" then enter a password. Then I get "Cannot Verify Server Identity". If I push "details" I get the Certificate for "domainB.tld" from let's encrypt saying "Not Trusted", where DomainB is another domain hosted by my domainA server (there is no website for DomainA at this time, just a blank unencrypted page where the domainA.tld A record points - a different server to my mailcow instance)

Amother domain hosted by your mailcow server? That’s not possible without reverse proxy. You use none default ports for HTTP and HTTPS?

Please check your DNS config, too. Something is not correctly configured. Maybe it tries autodiscover.domain.tld which redirects to your other domain and fails. Just run the DNS check.

thought it may have been autodiscover.domain.tld, will investigate further.
No only mailcow on that server instance, but the root A record for my domain is pointing to a different server, which is my apache web server. The mailcow docker instance installs njinx which is a reverse proxy? Not super familiar with njinx as yet

Nginx is primarily a web server like Apache. It handles just Mailcow's own stuff in this case.

So you have some machine on the root record of the domain, and an entirely different machine (with different IP) exclusively running Mailcow on a subdomain - right? That should be okay then and no problem.

Just make sure you have MAILCOW_HOSTNAME set to that subdomain in mailcow.conf. Also the DNS for that subdomain and autodiscover.domain must point to the IP of the Mailcow machine.

I ran into the same issue. I was getting an "untrusted certificate" every time I added my mailserver as an Exchange Account on an iOS device. It left me puzzled as mailcow is successfully creating the LE Cert and the mailserver (mail.domain.tld) and also all autodiscover.* hosts have a valid cert.

But what had a broken cert was the domain.tld webserver. This is hosted on a different machine and completely unrelated to the mailcow installation. But for some reason iOS checks the cert of the domain and not only the relevant subdomains.

So if you run into this. Besides checking your mailcow machine, you should check the TLS cert on the domain the mailserver is handling mail for.

Thanks, that's good to know. :)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.