SSL access to POP3 / IMAP / SMTP

[Silent Ninja]

Hello,

One of our customers wants to buy a Dedicated IP and an SSL certificate for his site. Although he asked me if his SSL certificate will also validate his FTP / POP3 / IMAP / SMTP services (ussing his dedicated IP) or if he will still see the "this secure connection is not secure" label because of the self-signed SSL certificate that cPanel creates to those services?

[thewebhosting]

The SSL certificate is also validate for FTP/SMTP/IMAP/POP3 using dedicated IP address.

[cPanelDon]

In order to setup a (paid) SSL certificate for system services like FTP, SMTP (Exim), POP3/IMAP (Courier/Dovecot), and cPanel/WHM and Webmail (SSL ports 2083, 2087, 2096), it is necessary to install the new certificate for each service using the WHM control panel (e.g., via root access).

Please note that changing the SSL certificate for system services will apply server-wide, to all users, and not just a single user with a dedicated IP address. It is also important to ensure the client connects to each service using the same domain as the SSL certificate; if using a different domain that does not match the SSL certificate the connection can still be secured but the user may experience or see a "domain mismatch" warning when connecting.

Here is the menu path in WHM for where the service SSL certificates can be updated or reset:
WHM: Main >> Service Configuration >> Manage Service SSL Certificates

Related documentation:
ManageSslcerts < AllDocumentation/WHMDocs < TWiki

[lorio]

Would it be technical possible to use a internal proxy to map IMAP/SMTP/POP3/Webmail through the SSLCert of a customer account?

The problem of selfsigned SSL or to tell the customer not to use the own Domain to access Mail/Webmail via SSL/TLS is still a issue.

[cPanelDon]

Would it be technical possible to use a internal proxy to map IMAP/SMTP/POP3/Webmail through the SSLCert of a customer account?

The closest match is our proxy domains access feature that can be enabled via the Tweak Settings page in WHM:
WHM: Main >> Server Configuration >> Tweak Settings >> Domains
* Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

By default your Apache build should already have mod_proxy and mod_rewrite, but if one is missing like mod_proxy, you may use EasyApache to recompile and enable mod_proxy in the Exhaustive options list.

Here is a command-line method to check if both mod_proxy and mod_rewrite are compiled-in to your Apache installation:

Code:

# /usr/local/apache/bin/httpd -l | grep -i "proxy\|rewrite"

If mod_proxy and mod_rewrite are available, you may see output like the following (tested against Apache/httpd version 2.2):

Code:

mod_proxy.c
mod_proxy_connect.c
mod_proxy_ftp.c
mod_proxy_http.c
mod_proxy_scgi.c
mod_proxy_ajp.c
mod_proxy_balancer.c
mod_rewrite.c

The problem of selfsigned SSL or to tell the customer not to use the own Domain to access Mail/Webmail via SSL/TLS is still a issue.

SSL warnings about a self-signed certificate can be resolved by purchasing a SSL certificate, or, if purchasing is not desired, it may also be resolved by suggesting the user add an exception in their browser or e-mail client to manually trust the known (self-signed) SSL certificate.

SSL warnings about a domain mismatch could be handled by trying to educate new users about which domain they should use for SSL connectivity, and or by suggesting the user add an exception in their browser or e-mail client where the known SSL certificate can be manually trusted.

[DomineauX]

Pretty sure he meant to find out if there is any way to have each dedicated IP site (which has a valid SSL) use their own SSL for secure FTP/IMAP/POP3/SMTP instead of all using the server wide SSL.

I don't know of any way to accomplish it but it would certainly be a welcome ability.

[lorio]

Pretty sure he meant to find out if there is any way to have each dedicated IP site (which has a valid SSL) use their own SSL for secure FTP/IMAP/POP3/SMTP instead of all using the server wide SSL.

Yes, that was what I meant. Thanks for pointing that out.


I could also think of just aggreate Customeraccounts from different server via one Webmailportal. You register one domain e.g CustomersMails.com and all customers (on different servers) access Webmail/POP/SMTP/IMAP through that Domain.

Thanks CpanelDon, for taking the time to read and answer. And educating customers is an intersting concept. I think customer support of Cpanel can tell us nice stories too ;-)

[Serra]

The problem with that is that the certificate would be for the domain, such as domain.com. It would be invalid for ftp.domain.com or mail.domain.com.

You could instruct your customers to use domain.com and the smtp and pop3 server for a valid ssl domain, but that is also a bit confusing to customers who expect it to be in mail.domain.com format.

Easiest way around it is to get an SSL for pop3/Imap under the server name, such as server.domainname.com and instruct users to use that for ftp, IMAP and POP3. I've been using this technique and it hasn't been a problem.

[meeven]

If a customer with a dedicated IP address also got a wildcard SSL, couldn't that be set up for POP/IMAP/FTP for that domain through WHM or cPanel?

Or, would the service SSL certs still be separate and apply only server-wide to all customers?

Update: I didn't notice cPanelDon's post that SSL for services apply only server wide.

[cPanelDon]

If a customer with a dedicated IP address also got a wildcard SSL, couldn't that be set up for POP/IMAP/FTP for that domain through WHM or cPanel?

Or, would the service SSL certs still be separate and apply only server-wide to all customers?

Update: I didn't notice cPanelDon's post that SSL for services apply only server wide.

You're correct as noted in the update. To help clarify and reiterate, SSL certificates for services apply server-wide to all users; this includes services like FTP (Pure-FTPd or ProFTPd), POP and IMAP (Courier or Dovecot), SMTP (Exim), and cPanel/WHM/Webmail/WebDisk.