IMAP / POP3 / SMTP via SSL

[netwrkr]

I just replaced the default cPanel SSL self signed cert with a trusted geo cert. Now when I grab email via imap/s or pop3/s it doesn't annoy me with a 'this is not a trusted certificate' blah warning. However, when I send mail that message appears -- for some reason smtp/s is still using the self signed cPanel created certificate.

Seems like a bug. Anyone else seen this?

TP

cPanel.net Support Ticket Number:

[netwrkr]

heh

update /etc/exim.crt and /etc/exim.key with the same certificate you use for your webserver.

cPanel.net Support Ticket Number:

[Wako]

Are you able to send /receive email using the cert for your webserver which is the name of the server or the secure site?

[mpierre]

We did all of that, but we are still getting the error on SMTP...

any ideas ?

[peruda.com]

I updated the exim.crt and exim.key files, chown'd them to mailnull, chgrp'd them to mail, chmod'd them to 600, and restarted exim - Yet I am still getting the error, "terminated in a root certificate which is not trusted by the trust provider."

What else might I try? POP3 SSL works fine.

[TerraSpeed]

Update /usr/local/cpanel/etc/cpanel.pem

[mpierre]

Sorry, I still get the error...

I copied my key and crt files /etc/exim.crt and /etc/exim.key into a blank cpanel.pem so that the values are replaced with my own.

I restarted exim and CPpop, but I still get the error...

[jamesbond]

Originally posted by netwrkr

update /etc/exim.crt and /etc/exim.key with the same certificate you use for your webserver.

I've never been able to get rid of the warning.

Updating /etc/exim.crt and /etc/exim.key with the server crt en key doesn't make any difference.

Do we have to do something with the CA bundle?

I hope someone will come forward with a definite solution

[peruda.com]

Below are the responses I got from cPanel technical support (Darren). In short, he says that each of my clients would have to install the CA bundle for my InstantSSL/Comodo SSL certificate in their mail client software to avoid the error. I don't even think you can do that with Outlook Express. I know of other providers who work fine with SSL SMTP - no errors, however they are using a Thawte SSL cert. My theory is that it has to do with the SSL company -- is yours InstantSSL or Thawte or another? Thanks!

Here are the responses from Darren:

Response #1:

Hello,

Is the CA for your cert set up in your mail client ? It looks like an InstantSSL/Comodo chained cert which may need you to explicitly set the certificate authority up in your mail clients.

root@host [~]# openssl s_client -connect 64.191.119.150:465
CONNECTED(00000003)
depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
---
...
subject=/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
issuer=/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
---
No client certificate CA names sent
---
SSL handshake has read 1468 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: C40F7FA2F4A343948B602AAA4A359FA36A435E3393481D97BC9FE005CD09DDC0
Session-ID-ctx:
Master-Key: 72101C3B00C2296C52585D2D1B2D95F1B7039AC95E730BE6D6AE7153ACB679C7EEDB2742D3D229157180905E7888E0D4
Key-Arg : None
Start Time: 1070060831
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220-z.peruda.com ESMTP Exim 4.24 #1 Fri, 28 Nov 2003 15:07:18 -0800
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.


I'm not aware of a CA file for Exim like apache has (the CA bundle that can be sent to a client automatically to let ssl clients know who to ask). Does it still give you the error if the CA bundle from comodo has been added to the clients CA list ?

Thanks,
Darren



--------------------------------------------------------
Response #2:

Hello,

POPS (995) is cppop wrapped by stunnel, where as SMTPS (465) is directly handled by exim.

: openssl s_client -connect 64.191.119.150:995
CONNECTED(00000005)
depth=2 /C=US/O=GTE Corporation/CN=GTE CyberTrust Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
1 s:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
i:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
2 s:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
i:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root


Stunnel can handle sending a CA bundle as defined in the stunnel config file.

Thanks,
Darren
--

----- Original Message -----
From: John Hoover
To: Eric G.
Sent: Friday, November 28, 2003 8:18 PM
Subject: Re: [cPanel tickets ID# 30092]


Thanks to Darren very much for the reply -- I just have one question. Perhaps I'm missing something, but why would we have to configure the cert's CA in the mail client, when it works fine with SSL POP3 (port 995)? Internet Explorer accepts the CA without questions, as does Outlook/Outlook Express with POP3/995 - It's only with SMTP/465 that it questions the certificate's authority.

Thanks again.
John Hoover
Peruda Networks LLC
john@peruda.com
www.peruda.com
1.877.7.PERUDA

[casey]

Darren's right. It doesn't work with comodo certs. I have tried it on multiple computers. It does not work even if you install the cert on the local computer. Your best bet is to use Geotrust (from ev1servers for $25) instead. I can verify that those certs work. Plus comodo customer service sucks.

[jamesbond]

Originally posted by casey
Darren's right. It doesn't work with comodo certs. I have tried it on multiple computers. It does not work even if you install the cert on the local computer. Your best bet is to use Geotrust (from ev1servers for $25) instead. I can verify that those certs work. Plus comodo customer service sucks.

Ahhh...that explains it..I'm indeed using an InstantSSL cert.
Ok I guess I'll switch to Geotrust then.


Thanks for the info!

[peruda.com]

Let me know if the GeoTrust SSL works well . . . (Or have you tried it already?) I guess Thawte's prices have gone up since the last purchase I made with them - apparently a 1 year cert is $199, so I guess GeoTrust is a bit cheaper at $149.

Anyway, I would be curious to know how that goes if you end up doing that.

Thanks!
-John

[peruda.com]

Whoops - forget about my last post. I obviously hadn't read Casey's. I am wondering how ev1servers can sell GeoTrust certs for only $25, when they go for $159 at geotrust.com? Do they just get a really great reseller deal for their volume? Weird. . .

-John

[cwhcom]

Originally posted by netwrkr
I just replaced the default cPanel SSL self signed cert with a trusted geo cert. Now when I grab email via imap/s or pop3/s it doesn't annoy me with a 'this is not a trusted certificate' blah warning.

Hi, may I ask which files exactly did you edit to accomplish this and what services you may have to restart? I tried putting my Geo Cert in some files, but they must not be the right ones becuase I still get the annoying 'this is not a trusted cert' mess when checking email through IMAP.

Thanks

[netwrkr]

Originally posted by cwhcom
Hi, may I ask which files exactly did you edit to accomplish this and what services you may have to restart? I tried putting my Geo Cert in some files, but they must not be the right ones becuase I still get the annoying 'this is not a trusted cert' mess when checking email through IMAP.

Thanks

I updated /etc/exim.crt and /etc/exim.key then restarted exim.