Yeah, we got bitten by this one at work last week (actually started noticing problems around Wednesday or Thursday of the previous week, but only resolved it last week). We had some users within the department who wanted to manage their CS e-mail via Gmail, and had set up their Gmail to send out via our SMTP server, which had worked fine until Google unilaterally decided on this new restriction, which most likely violates several standards.
Since we control reverse DNS on our domain, I was able to fudge things up to get Google to accept our cert (a legitimate cert, issued by Globalsign, that has multiple generic aliases in the SAN list, but intentionally avoided the canonical host name, since these generic aliases should be allowed to migrate to different physical servers, transparently). I found out that you can have multiple PTR records on one IP address, which is completely legal in DNS, but not usually considered good practice (or so I thought). Of course, this second PTR record caused some things to fail in a non-deterministic way, since lookups on the IP address gave the PTR records in pseudo-random order, causing code that only looked at the first answer to get inconsistent results. Grrr!
Thanks, Google, for once again messing with standards, and forcing everyone else to bend to your will!
Gilbert
On 2020-04-18 3:14 p.m., Hartmut W Sager wrote:
Gmail is sure piling up its problems like never before in my 8-10 years of using it. In addition to the other issues of the last two months, we now have:
The recent intermittent Gmail problem in sending from your own SMTP server (if you don't want your "send from" address at your own domain name to be an "alias" of your Gmail address) has now become an "always happens" problem. Here's the failure message you get from Gmail:
Message not delivered You're sending this from a different address or alias using the 'Send mail as' feature. The settings for your 'Send mail as' account are misconfigured or out of date. Check those settings and try resending. TLS Negotiation failed, the certificate doesn't match the host. After much experimenting and Internet research, I found the answer buried in Gmail support forums - an answer from a smart user, not from Google. In my case, since I use Tucows/OpenSRS for my SMTP server, the chain is smtp-1.marityme.com http://smtp-1.marityme.com [cname] --> smtp.marityme.com.cust.a.hostedemail.com http://smtp.marityme.com.cust.a.hostedemail.com --> 216.40.42.5 --> [RDNS] mail.hostedemail.com http://mail.hostedemail.com
Tucows/OpenSRS specifies the server *smtp.marityme.com.cust.a.hostedemail.com http://smtp.marityme.com.cust.a.hostedemail.com*, which I cname to for concenience and elegance, and that resolves to *216.40.42.5*, whose RDNS lookup gives *mail.hostedemail.com http://mail.hostedemail.com*. Now, unlike before, Gmail expects me to give *mail.hostedemail.com http://mail.hostedemail.com* as the SMTP server in the "send from" configuration, and then the sending mechanism works again (at least yesterday and today, who knows about tomorrow).
The purpose of this post is to save other members days of headache trying to figure this one out.