The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AutoSSL not so good for email

Discussion in 'Security' started by MediaServe, Aug 25, 2016.

  1. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I'm just noticing that not many, (if any?), email clients are recognizing the certificates installed by AutoSSL. They seem mostly fine in browsers, but the auto-configuration area of webmail is instructing users to use their domain as the incoming/outgoing server in the secure details, but email clients are complaining about the unrecognized certificates.

    Has anyone found any email clients that recognize these certs? I think to remedy this I may have to once again override what is being shown in the auto-configure area, if I can even remember how I did that before (to display the server hostname for secure connections instead of suggesting users use their own domain name.)
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you verify if "Mail SNI" is enabled for these domain names under "WHM >> SSL/TLS >> Manage SSL Hosts"? The current plan is to enable it automatically in cPanel version 60, however you can enable it manually in prior versions of cPanel to take advantage of the installed SSL certificate for mail services.

    Thank you.
     
  3. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Yep it's enabled. The proper certificate is being seen by the mail client, just not trusted.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Internal case CPANEL-8212 will address this issue in cPanel version 60. Here's some information about the changes stemming from this case:

    Code:
    - Exim was not checking wildcard matches against Domain TLS; this change introduces logic that corrects that.
    - Mail SNI only worked for the Apache vhost’s ServerName. It now works for all domains on the vhost.
    - Makes Dovecot use the Domain TLS repository for keys/certificates. It will thus be consistent with Exim, cpsrvd, and cpdavd.
    - Makes Dovecot always use SNI.
    - Updates Cpanel::SSL::Domain so that requests for the “optimal” host for a TLS connection will be informed by knowledge of Domain TLS.
    Thank you.
     
  5. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Is there a solution for this?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @asmithjr,

    Could you provide a brief description of the current issue you are facing?

    Thank you.
     
  7. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Users need to use the server certificate. When they connect SSL to email it says the cert is invalid and is issues to the server not to their domain.
    When you visit the website using https:// it works fine. When you set up outlook or others it will not let you use SSL unless you type in the server name.
    I checked and the settings for Mail SNI show yes for all domains.
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This is part of the case referenced earlier, that's included as part of cPanel version 60 (Not Yet Released). An additional case in version 60, CPANEL-8418, ensures that mobileconfig files are signed with domain certificates when available. Information on the build/release process is available at:

    Product Versions and the Release Process - cPanel Knowledge Base - cPanel Documentation

    Thank you.
     
  9. asmithjr

    asmithjr Well-Known Member

    Joined:
    Jun 13, 2003
    Messages:
    475
    Likes Received:
    1
    Trophy Points:
    18
    Michael, what should we do in the meantime?
    Unfortunately I moved to a new server and now all the email accounts are causing this problem.
    For now I am getting by with users by telling them to use the hostname instead of their domain name for the settings. Sometimes it works.
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This should work as a temporary workaround. Version 60 is tentatively scheduled for publication to the "Current" build tier on October 5th.

    Update: Version 60 is tentatively scheduled for publication to the "Current" build tier on October 11th. Note that this is a tentative date and is subject to change.

    Thank you.
     
  11. JohnMC

    JohnMC Member

    Joined:
    Feb 17, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi Michael,

    If SNI is enabled by default in version 60 it sounds like that will fix my problem but I just wanted to ask my version of the question as I believe it address the core issue where the other questions here seem to simply focus on SNI "not working".

    Basically, what I've observed is that when a certificate is renewed/replaced, even if mail SNI was previously enabled, it will become disabled with the new certificate. This has obviously made short term auto renewing certificates (LE, etc) not viable with mail SNI.

    1. Is case CPANEL-8212 meant to address this issue?
    2. Is there a configuration file or scriptable functionality that can be used to enable mail SNI as a workaround?
    3. The October 5th date you mentioned has passed and i'm trying to understand the release schedule graphic provided in the cpanel blog, is October 17th now the scheduled date for release to current?
     
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello @JohnMC,

    Mail SNI is always enabled as of cPanel version 60, and all Mail SNI controls are removed from cPanel/WHM user interfaces. Here's a quote from the Version 60 Release Notes:

    This should address the issue you are currently facing. Version 60 is tentatively planned for publication to the "Current" build tier later today, but release dates are subject to change. Regarding a workaround on versions prior to cPanel 60, you could try manually creating a subdomain for "mail.domain.tld" after removing existing DNS entries, then issuing certificates for the subdomain.

    Thank you.
     
Loading...

Share This Page