AutoSSL on cPanel Service Proxies

[jon356a]

Hello

Please I need some help, guidance, clarification :/

How do I delete "mail.domain.com" cPanel proxy subdomain? And then what is the best practice / setup configuration to access the cpanel webmail interface with an email client using SMTP 465 and IMAP 943 without errors? Without mail.domain.com what is the de facto server name?

Background:
I migrated some cPanel accounts from reseller hosting to vps hosting. The accounts came with the cPanel proxy services enabled ie: webdisk, cPanel, mail etc. with the previously issued SSLs. The VPS hosting account has proxy service subdomains disabled in Tweak Settings which I understand will apply to newly created accounts on the VPS. I manually deleted the proxies in WHM edit DNS in each zone and ran a script in terminal to remove any proxy I might have missed. Then I deleted the migrated SSL with the proxies. When I run AutoSSL on the scrubbed zones everything but the primary, alias and www versions get issued a new SSL, except "mail.domain.com" keeps populating on the new SSL. webdisk, cPanel, mail etc. are now gone.

The point is who wants all these proxies listed on their SSL's by default? How many users are actually behind a firewall with the only access being a URL? I think the default setup causes more issues than it fixes, imho.

Feedback please. Thanks.

• CENTOS 7.5 virtuozzo
  v74.0.6

 

[cPanelMichael]

Hello @jon356a,

How do I delete "mail.domain.com" cPanel proxy subdomain?

The "mail" subdomain isn't a proxy subdomain. It is however setup as an alias by default for domain names added to cPanel accounts. Can you provide some more information about why you want to delete it so we can provide you with the best approach to ensure it's not accessible?

And then what is the best practice / setup configuration to access the cpanel webmail interface with an email client using SMTP 465 and IMAP 943 without errors? Without mail.domain.com what is the de facto server name?

The webmail applications are accessible through web browsers as opposed to email clients. You can use your server's hostname as the mail server name in your email client when "mail.domain.tld" isn't configured.

When I run AutoSSL on the scrubbed zones everything but the primary, alias and www versions get issued a new SSL, except "mail.domain.com" keeps populating on the new SSL. webdisk, cPanel, mail etc. are now gone.

You can choose to exclude specific domain names or subdomains from AutoSSL using the SSL/TLS Status option in cPanel:

SSL TLS Status - Version 74 Documentation - cPanel Documentation

Is this what you are looking for?

Thank you.

 

[jon356a]

Hi Michael

Thank you for clarifying mail.domain.com is technically NOT a proxy subdomain.

The reason I want to remove mail.domain.com and the proxies: webdisk, cpanel, webmail etc. is:

1. I don't have any issue accessing the domain.com followed by the secure ports for those services: 2083, 2087, 2078, 2096 etc.

AND

2. Keeping uncluttered DNS records and resulting SSL certificates trying to validate a long list of unnecessary cPanel proxies, mail.domain.com for the primary, subdomain and alias domains on the account.

Taking the explanation a step further, I've reviewed many random SSL certificates and have yet to find one littered with as many cPanel proxies or even mail.domain.com as my accounts are producing. The certificates I've reviewed only contain the primary, www and any subdomain or alias attached. And I've looked at 50+ certificates, randomly pulled from the browser. Further, I've made the conclusion there must a good reason for 50+ randomly pulled certificate creators to limit certificate information to the pertinent details other than all of them being sticklers for housekeeping! Possibly a security issue, disclosing / advertising these proxies openly? I realize there's other ways to find the same information but why advertise it if it's not necessary to function?

Thank you for pointing out the option to use the server hostname to access SMTP and IMAP with a client with mail.domain.com now removed.

Your feedback is welcomed and appreciated.

 

[cPanelMichael]

Hello @jon356a,

You can disable the creation of proxy subdomains on new domain names by disabling the following option under the Domains tab in WHM >> Tweak Settings:

Proxy subdomains

Then, to remove the proxy subdomain DNS entries for all existing domain names, run the following command:

/scripts/proxydomains remove

The "mail" alias is separate and is setup by default because of the demand to allow customers to enter "mail.customer-domain.tld" in their email clients. There's no supported way to prevent the creation of the mail serveralias entry upon the creation of the domain, but the following thread includes workaround instructions for how to do so (it's for the www serveralias entry but you could apply the same concept to the mail serveralias entry):

Disable default www entry for all subdomains and hostname

Thank you.

 

[jon356a]

Hello Michael

In the "background" section of my original post I mentioned the accounts I was having the issue with were "migrated accounts" and the WHM "tweak settings", proxy creation was already set to "disabled" on initial WHM setup, which only applies to "newly" created cPanel accounts. In my case the migrated accounts came with proxies enabled from the previous WHM.

I ran the script "/scripts/proxydomains remove" in terminal. This did NOT purge the existing proxies from the cPanel accounts.

The "alias" mail.domain.com is another issue completely and there does NOT appear to be a setting to disable its creation.
And I'm not sure how the mail.domain.com "alias" is of any benefit? I see mail clients and even in the configuration settings included with each cPanel to use mail.domain.com as the server name for SMTP, IMAP, POP3 configurations, but I found using the server "hostname" to work as well.

Can you provide some use cases for using "mail.domain.com" VS the server "hostname"?

In my case to accomplish what I wanted on the migrated cPanel accounts:

• No DNS & SSL records with unused cPanel "Proxies", webdisk, cPanel, webmail etc
• No DNS & SSL records with "alias", mail.domain.com

I needed to perform the following:

In each cPanel > edit DNS zone >

• Modify the MX record from "mail.domain.com" to "domain.com"
• Delete the A record "mail"
• Delete all traces of cPanel "proxies", "webdisk", "cPanel", "webmail"
• Delete any CA or CAA or DCV SSL Keys (to prevent a possible conflict of using different SSL providers from the original CA to the new CA)

In each cPanel > SSL / TLS Status

• exclude the "mail.domain.com" from AutoSSL renewal

In WHM > Manage SSL Hosts

• delete the existing SSL certificates for the zone / domain

In each cPanel > SSL / TLS Status

• re-run AutoSSL for the zone / domain

The result was:

• No cPanel "proxies" listed in cPanel or SSL
• mail.domain.com "alias" created but excluded on the SSL
• domain.com, www.domain.com, aliasdomain.com, www.aliasdomain.com listed on the SSL's

I'm sure there's another workflow to accomplish the same thing, but this worked for me.

I would really like to see some written out "Use Cases" for creating and using cPanel proxies and the "mail" "alias" VS Not using them. The official documentation is lacking on this matter.

 

[cPanelMichael]

Hello @jon356a,

I ran the script "/scripts/proxydomains remove" in terminal. This did NOT purge the existing proxies from the cPanel accounts.

I ran this command on a test system and confirmed it properly removed the DNS entries for proxy subdomains from every DNS zone on the server associated with a cPanel account. Did you run the command as the "root" user? If so, was there any output upon running the command?

The "alias" mail.domain.com is another issue completely and there does NOT appear to be a setting to disable its creation.

That is correct. It's not possible to disable the mail alias that's setup by default without utilizing a manual workaround. I encourage you to vote for the following feature request:

Add option to control ServerAlias www entries for subdomains

It's for the "www" alias, but you can leave a comment to note that it should be expanded to also include the "mail" alias.

And I'm not sure how the mail.domain.com "alias" is of any benefit? I see mail clients and even in the configuration settings included with each cPanel to use mail.domain.com as the server name for SMTP, IMAP, POP3 configurations, but I found using the server "hostname" to work as well.

Setting up "mail.domain.tld" by default and including it with AutoSSL addresses a few needs for web hosting providers. The first is that customers don't need to contact the web hosting provider for information about which server name to use in their email client (not everyone looks at the email client configuration option). The second is that by using "mail.domain.tld", the cPanel account can be migrated to a new server (with a different hostname) and the individual email users can continue using the same mail server settings. Additionally, some email clients will issue SSL trust warnings if the mail server name doesn't match the domain name associated with the email account. Using "mail.domain.tld" addresses that.

"Use Cases" for creating and using cPanel proxies

Here's a look at the benefits we document on Proxy Subdomains Explanation:

• Can access from a network with restrictive firewall (for example, the firewall restricts access to ports 80 and 443).
• Easier to remember than a port number.

Let me know if you have any additional questions.

Thank you.

 

[jon356a]

I ran this command on a test system and confirmed it properly removed the DNS entries for proxy subdomains from every DNS zone on the server associated with a cPanel account. Did you run the command as the "root" user? If so, was there any output upon running the command?

All modifications, edits, settings were done as "root".
As I recall after running the script each zone / domain was followed by "no changes"

Setting up "mail.domain.tld" by default and including it with AutoSSL addresses a few needs for web hosting providers. The first is that customers don't need to contact the web hosting provider for information about which server name to use in their email client (not everyone looks at the email client configuration option). The second is that by using "mail.domain.tld", the cPanel account can be migrated to a new server (with a different hostname) and the individual email users can continue using the same mail server settings. Additionally, some email clients will issue SSL trust warnings if the mail server name doesn't match the domain name associated with the email account. Using "mail.domain.tld" addresses that.

In my case the existing email accounts did not populate with the migration. I manually set them back up and configured them.
The email client is Thunderbird. The server hostname is an alias / subdomain of the primary zone and it has it's own SSL on the "server.hostname.com" (server.hostname.com is also the IMAP/SMTP server name setting in the client) and the email address "[email protected]" is the login and it matches a domain name with an SSL.

I guess your referring to the miss-match configuration mentioned above causing an error in email clients other than the one we're using?

Thank you for the feedback.

 

[cPanelMichael]

All modifications, edits, settings were done as "root".
As I recall after running the script each zone / domain was followed by "no changes"

Are you sure you didn't run that command after you already removed the proxy subdomain entries from the existing DNS zones? The command will only remove the DNS records, so no actions will occur if the records are already removed.

I guess your referring to the miss-match configuration mentioned above causing an error in email clients other than the one we're using?

Right, it's not necessarily a need for everyone. You can browse through the comments on the following completed feature request if you'd like to see some of the reasons other customers wanted this feature:

SSL certificate per domain on cpanel, webmail, dav, caldav, and whm services (SNI).

Thank you.