AutoSSL not so good for email

[MediaServe]

I'm just noticing that not many, (if any?), email clients are recognizing the certificates installed by AutoSSL. They seem mostly fine in browsers, but the auto-configuration area of webmail is instructing users to use their domain as the incoming/outgoing server in the secure details, but email clients are complaining about the unrecognized certificates.

Has anyone found any email clients that recognize these certs? I think to remedy this I may have to once again override what is being shown in the auto-configure area, if I can even remember how I did that before (to display the server hostname for secure connections instead of suggesting users use their own domain name.)

 

[cPanelMichael]

Hello,

Could you verify if "Mail SNI" is enabled for these domain names under "WHM >> SSL/TLS >> Manage SSL Hosts"? The current plan is to enable it automatically in cPanel version 60, however you can enable it manually in prior versions of cPanel to take advantage of the installed SSL certificate for mail services.

Thank you.

 

[MediaServe]

Hello,

Could you verify if "Mail SNI" is enabled for these domain names under "WHM >> SSL/TLS >> Manage SSL Hosts"? The current plan is to enable it automatically in cPanel version 60, however you can enable it manually in prior versions of cPanel to take advantage of the installed SSL certificate for mail services.

Thank you.

Yep it's enabled. The proper certificate is being seen by the mail client, just not trusted.

 

[cPanelMichael]

They seem mostly fine in browsers, but the auto-configuration area of webmail is instructing users to use their domain as the incoming/outgoing server in the secure details, but email clients are complaining about the unrecognized certificates.

Hello,

Internal case CPANEL-8212 will address this issue in cPanel version 60. Here's some information about the changes stemming from this case:

- Exim was not checking wildcard matches against Domain TLS; this change introduces logic that corrects that.
- Mail SNI only worked for the Apache vhost’s ServerName. It now works for all domains on the vhost.
- Makes Dovecot use the Domain TLS repository for keys/certificates. It will thus be consistent with Exim, cpsrvd, and cpdavd.
- Makes Dovecot always use SNI.
- Updates Cpanel::SSL::Domain so that requests for the “optimal” host for a TLS connection will be informed by knowledge of Domain TLS.

Thank you.

 

[asmithjr]

Is there a solution for this?

 

[cPanelMichael]

Is there a solution for this?

Hello @asmithjr,

Could you provide a brief description of the current issue you are facing?

Thank you.

 

[asmithjr]

Users need to use the server certificate. When they connect SSL to email it says the cert is invalid and is issues to the server not to their domain.
When you visit the website using https:// it works fine. When you set up outlook or others it will not let you use SSL unless you type in the server name.
I checked and the settings for Mail SNI show yes for all domains.

 

[cPanelMichael]

Users need to use the server certificate. When they connect SSL to email it says the cert is invalid and is issues to the server not to their domain.
When you visit the website using https:// it works fine. When you set up outlook or others it will not let you use SSL unless you type in the server name.
I checked and the settings for Mail SNI show yes for all domains.

This is part of the case referenced earlier, that's included as part of cPanel version 60 (Not Yet Released). An additional case in version 60, CPANEL-8418, ensures that mobileconfig files are signed with domain certificates when available. Information on the build/release process is available at:

Product Versions and the Release Process - cPanel Knowledge Base - cPanel Documentation

Thank you.

 

[asmithjr]

Michael, what should we do in the meantime?
Unfortunately I moved to a new server and now all the email accounts are causing this problem.
For now I am getting by with users by telling them to use the hostname instead of their domain name for the settings. Sometimes it works.

 

[cPanelMichael]

For now I am getting by with users by telling them to use the hostname instead of their domain name for the settings. Sometimes it works.

This should work as a temporary workaround. Version 60 is tentatively scheduled for publication to the "Current" build tier on October 5th.

Update: Version 60 is tentatively scheduled for publication to the "Current" build tier on October 11th. Note that this is a tentative date and is subject to change.

Thank you.

 

[JohnMC]

This should work as a temporary workaround. Version 60 is tentatively scheduled for publication to the "Current" build tier on October 5th.

Thank you.

Hi Michael,

If SNI is enabled by default in version 60 it sounds like that will fix my problem but I just wanted to ask my version of the question as I believe it address the core issue where the other questions here seem to simply focus on SNI "not working".

Basically, what I've observed is that when a certificate is renewed/replaced, even if mail SNI was previously enabled, it will become disabled with the new certificate. This has obviously made short term auto renewing certificates (LE, etc) not viable with mail SNI.

1. Is case CPANEL-8212 meant to address this issue?
2. Is there a configuration file or scriptable functionality that can be used to enable mail SNI as a workaround?
3. The October 5th date you mentioned has passed and i'm trying to understand the release schedule graphic provided in the cpanel blog, is October 17th now the scheduled date for release to current?

 

[cPanelMichael]

Hello @JohnMC,

Mail SNI is always enabled as of cPanel version 60, and all Mail SNI controls are removed from cPanel/WHM user interfaces. Here's a quote from the Version 60 Release Notes:

We created the Domain TLS system to store and manage certificates for domains outside of Apache. The system will copy a domain's certificate from Apache's certificate storage into the Domain TLS, and then it creates an index of which domain uses which certificate.

Currently, Domain TLS handles SNI functionality for the cpsrvd daemon (cPanel, WHM, and Webmail logins and UI functionality), the cpdavd daemon (Calendar, Contacts, and Web Disk), Exim, and Dovecot services. We plan to expand Domain TLS to handle SNI functionality for more services in future versions.

This should address the issue you are currently facing. Version 60 is tentatively planned for publication to the "Current" build tier later today, but release dates are subject to change. Regarding a workaround on versions prior to cPanel 60, you could try manually creating a subdomain for "mail.domain.tld" after removing existing DNS entries, then issuing certificates for the subdomain.

Thank you.