Issue Description
I see this warning in log
Multiple TLS certificates available
All the apps I connect with Stalwart is not working as they can’t connect either on 465 or 993
Stalwart Version
v0.16.x
Installation Method
Binary (Linux)
Database Backend
RocksDB
Blob Storage
S3-compatible
Search Engine
Internal
Directory Backend
Internal
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Let me look up information about this warning and TLS certificate configuration.
The tls.multiple-certificates-available warning fires when more than one certificate matches a connecting client that did not send an SNI value (or when SNI matching is ambiguous). The server cannot decide which certificate to serve, which can cause TLS handshake failures on ports 465 and 993.
Here is what to check and fix:
1. Set a default certificate
In the WebUI go to Settings > Network > General (the SystemSettings singleton) and set the defaultCertificateId field to point to the one certificate you want served to clients that connect without an SNI value. This is the most common cause of this warning.
2. Verify your certificates have non-overlapping SANs
Stalwart selects a certificate by matching the SNI hostname the client sends against each certificate’s Subject Alternative Names. If two certificates cover the same hostname, the server cannot break the tie and emits this warning. Check Settings > TLS > Certificates and make sure each domain only appears in one certificate record.
3. If you are using ACME, make sure defaultCertificateId points to one of the ACME-issued certificates
The ACME provider has no built-in “default” flag; you must explicitly wire it through defaultCertificateId on SystemSettings.
Docs reference: TLS Certificates and TLS Overview.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
I have set a default certificate but how do I make sure each domain uses it’s own certificate?
I get this in log Blocked IP address when I tried to connect an app using the SMTP details.
That warning means a client connected without matching any certificate (no SNI match, no wildcard, and no default set), so the server fell back to serving an arbitrary one, and a name-mismatched cert is exactly what makes mail clients refuse the connection on 465/993. Setting a default certificate is the right fix; with that in place, per-domain certificates are then selected automatically by SNI as long as each one is uploaded (the hostnames are read from the certificate’s own SAN list, you don’t assign them per domain manually).
The “Blocked IP address” is the auto-ban kicking in: repeated failed logins from that IP (often the cert failure causing the client to retry and fail) tripped the limit. Clear it under Settings, Security (blocked IPs) once the cert is sorted, and the connections should go through. If you need to, you can tune authBanRate / authBanPeriod there too.
I solved this by using manual certificates