"Self-signed certificate" or SSL/TLS errors

SSL/TLS certificate errors are among the most common connection issues. Here is a comprehensive guide to diagnosing and fixing them:

Error: 'Self-signed certificate' or 'DEPTH_ZERO_SELF_SIGNED_CERT'
This means your mail server uses a certificate that is not issued by a trusted Certificate Authority (CA). Common with self-hosted mail servers, Plesk, cPanel, or shared hosting.

Solutions (try in order):

  1. Check port and security match — This is the #1 cause. Port 465 requires SSL. Port 587 requires STARTTLS. They are NOT interchangeable. Using the wrong combination produces certificate errors.
  2. Use your provider's official SMTP/IMAP hostnames — Do not use your domain name (e.g., mail.yourdomain.com) if your provider has official hostnames. For example, Hostinger users should use smtp.hostinger.com, not mail.yourdomain.com.
  3. Check with your hosting provider — If you use shared hosting (Hostinger, Bluehost, GoDaddy, Namecheap, SiteGround), your mail server's SSL certificate may be on a different hostname. Ask your host for the correct SMTP and IMAP hostnames that match their SSL certificate.
  4. Verify the certificate is not expired — Expired certificates cause 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' errors. Contact your hosting provider to renew the SSL certificate on your mail server.
  5. If self-hosted (VPS, dedicated server) — Install a valid SSL certificate from Let's Encrypt (free) or another CA on your mail server. Most mail servers (Postfix, Dovecot, hMailServer) support Let's Encrypt certificates.
  6. Check for hostname mismatch — The SSL certificate's Common Name (CN) or Subject Alternative Names (SAN) must match the hostname you are connecting to. If your certificate is for 'mail.hostingprovider.com' but you are connecting to 'mail.yourdomain.com', you will get ERR_TLS_CERT_ALTNAME_INVALID.
  7. Use the hosting provider's shared hostname — Many shared hosts have a hostname like 'server123.hostingprovider.com' that matches their SSL certificate. Use that instead of your custom domain.
  8. Ask your provider to add your domain to the certificate — Some providers can add your domain as a SAN entry to their mail server's SSL certificate.

Error: 'STARTTLS not supported'
The server does not support STARTTLS on the port you chose. Switch to port 465 with SSL, or confirm your provider supports STARTTLS on port 587.

Error: 'Wrong version number' or 'SSL routines'
You are using SSL on a STARTTLS port or vice versa. Port 587 = STARTTLS. Port 465 = SSL. Switch accordingly.

Still Not Working?
• Try connecting from a different network (some corporate firewalls block SMTP ports).
• Temporarily try port 25 if available (unencrypted, not recommended for production).
• Contact your email hosting provider's support team and ask them for the exact SMTP host, port, and security settings that work with third-party applications.
• As a last resort, consider migrating to a provider with proper SSL support (Gmail, Outlook, Zoho, Fastmail all have valid certificates).

Note: WarmySender requires a valid SSL certificate for secure email delivery. Self-signed certificates are accepted for connection but may cause intermittent issues. We strongly recommend using a properly signed certificate.

Back to all documentation | Contact support