Filed with Developers Force SSL/HTTPS for Mailman (PCI Compliance feature) [Case 39553]

[morissette]

Hey,

I just spent about two hours trying to research how to force SSL on mailman on a cPanel server.

Anyone know if this is possible?

Thanks

[madaboutlinux]

You need to install the SSL certificate on the services as well which you can do it from

WHM >> Service Configuration >> Manage Service SSL Certificates

not sure, if it will work on mailman as expected but that's the way to install SSL on the services. BTW, make sure you have purchased the SSL certificate for the hostname instead of using a domain's SSL certificate.

[morissette]

Unfortunately from what I can see there is no way to force mailman to run over https - I first looked at the services; however mailman is running over the domain name and loads without issue with https://domain/mailman however by default it goes through http.

Thank you for the advice though

[DomineauX]

This is urgently needed as some PCI scanning "authorities" are flagging MailMan accepting logins over HTTP as high risk which prevents PCI compliance.

The following is an example alert:

"The remote host appears to allow logins over unencrypted (HTTP) connections. This means that a user's login information is sent over the internet in clear text. An attacker may be able to uncover login names and passwords by sniffing network traffic."

Can anyone please provide a method to force HTTPS for MailMan server-wide or per site?

[matins007]

Hi,

did you find a solution for this? I'm getting the exact same problem.

Tx

[cPanelJared]

An internal case for this issue has been submitted to our developers. While there is no timeframe for when this behavior may be changed, we do recognize that this causes issues with PCI scans, and development will consider the best way to provide a fix to this.

[DomineauX]

Unfortunately for now we have had to use a custom addition like:

/usr/local/apache/conf/userdata/std/2/username/domain.tld/mailman.conf:

ScriptAlias /mailman/ /home/username/public_html/index.cgi


This just forces a page not found (404) error for attempts to visit domain.tld/mailman

[cwalke32477]

How do you do that for the entire server, not just one user account?
I'm still learning cpanel and linux in general.
However, it is the last step I need to secure for PCI compliance serverwide.

I don;t see much use in the mailman url, so disabling it may be the best option.

[cPanelDon]

I would consider using a custom Apache ".htaccess" file to redirect non-SSL HTTP requests to HTTPS (via SSL); please be aware this requires the domain or host address entered in the requested URL for mailman to have an installed SSL certificate. The following steps may be used to setup the aforementioned .htaccess file via root SSH access:

1. Create a custom .htaccess file for Mailman, as seen below:
   
   Code:

   # touch /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess
   # chown -vv mailman:mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin/.htaccess

2. Enter the following contents into the custom .htaccess file:
   
   Code:

   RewriteEngine On
   RewriteCond %{HTTPS} off
   RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Please keep in mind that if mailman is forcefully reinstalled you may also need to re-add the custom .htaccess file.

[DomineauX]

Thanks Don, that sounds like a better solution.
Anyone who tries it, please confirm if it works well for sites with and without their own SSL.

[cwalke32477]

I'll be trying it tommorrow afternoon. It's too late for me now, but I will keep you posted.
Great suggestions thanks

[cPanelDon]

I have revised the thread title and relocated the discussion topic so that it is organized along with all other Feature Requests for cPanel and WHM.

[cPanelDon]

An internal case for this issue has been submitted to our developers. While there is no timeframe for when this behavior may be changed, we do recognize that this causes issues with PCI scans, and development will consider the best way to provide a fix to this.

For reference and tracking purposes, this request was assigned case number 39553; this case ID number may be used in the official cPanel/WHM change log to help identify the specific feature request in future updates.

[limefink]

One year ago, cPanelJared wrote in this thread:

An internal case for this issue has been submitted to our developers. While there is no timeframe for when this behavior may be changed, we do recognize that this causes issues with PCI scans, and development will consider the best way to provide a fix to this.

Has the feature been added to cPanel, or will it be added soon?

[cPanelTristan]

This feature has not yet been implemented. You can review any cases in our changelog at Change Logs to see if they have been incorporated into cPanel for your version. You can obtain your existing version by running the following command:

Code:

cat /usr/local/cpanel/version

Additionally, the latest versions for each tier can be viewed at Downloads - cPanel Inc.