The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel / Webmail without nonstandard ports but with SSL

Discussion in 'E-mail Discussions' started by lorio, Oct 22, 2013.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Since Cpanel thinks this old thread is outdated:
    http://forums.cpanel.net/f5/ssl-acc...96-signed-wildcard-hostservercert-227211.html


    When using e.g. www.customermail.tld/webmail you can get a screen:

    "Connection Selection ..."

    If you are not behind a firewall that blocks port 2096
    Enter Here https://host.whmdomain.tld

    If you are behind a firewall and can not connect to port 2096
    Enter Here https://webmail.customerdomain.tld

    Problem is that if the port is blocked you are redirected to the local domain with https.
    So without the port there is no proxydomain for the hostdomain which would use the wildcard ssl cert.

    That situation is unchanged for years.

    What missing is a way to redirect to a account which just provides proxydomains covered by the wildcard cert of the host.

    Since the same problem is with cpanel webdisk etc. I wonder why nobody seems to have a problem with this. Are customers eager to pay for their own ssl cert but to get told EXIM,Courier,Dovecot are not accessible via your cert. You have to use the host cert.

    Accessing controlpanel and webmail without special ports is important. SSL a must. If you get your customer to pay for a cert they don't want to use or remember a different domainname as mailserver.

    The current situation is incoherent in more than one way.

    Subdomains are not able to use SSL. See feature request
    http://features.cpanel.net/response...ain-to-hostname-instead-of-origin-domain-name

    But since EXIM,Dovecot,Courier are not currently able to use customer domains as proxy with certs of customers it is a long way to go. To provide a way to access webmail via standardport and SSL via a wildcardcert of the host looks like a shorter way to get a least one way consitent.
     
    #1 lorio, Oct 22, 2013
    Last edited: Oct 22, 2013
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend opening a new feature request for the specific configuration that you would like to see allowed. The following feature request may also interest you:

    SSL Certificate Per Domain for all services

    Thank you.
     
  3. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Michael, seems you're everywhere. Thanks for your effort. I have no problems opening a feature request. We had some threads about relating or similar topics before. Not sure if the wording and explanation of the problem prevented any traction in the userbase or if nobody is needing that featureset. Hope to find enough people here in the forums which care about that problem today. Might help to get a better feature request.
     
  4. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    For TL;DR: Is there a way to allow a customer/user to access webmail via standard ports via SSL/TLS with only a wildcard cert for the whole server? customerdomain.tld/webmail has the firewalldetection screen but if nonstandard ports are blocked a cert for the account is needed.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Are you referring to port 2096? If so, that port is accessible with the standard SSL certificate that's installed for the cPanel/WHM/Webmail service in:

    "WHM Home » Service Configuration » Manage Service SSL Certificates"

    A wildcard certificate is acceptable, but most users prefer to install it for the hostname of the server to ensure there are no certificate warnings.

    Thank you.
     
  6. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I only want to use the installed wildcard for the hostserver. The problem are the nonstandard ports.

    With standard port I meant the ports no corporate firewall is blocking. 208X und 209X are mostly blocked.
    We could say standard is 443 for SSL/TLS .

    Why isn't it possible to have https://hostwhm.hostname.tld/webmail as an entrypoint ?
    Currently the rerouting for enforcing SSL when accessing customerdomain.tld/webmail is:

    If you are behind a firewall and can not connect to port 2096 :
    https://webmail.customerdomain.tld
    (you will need an additional signed cert to prevent browser problems)

    If you are not behind a firewall that blocks port 2096
    https://hostwhm.hostname.tld:2096
    Wildcard Cert will be used. But users with corporate/public firewalls cannot access it.

    Why isn't it possible to have https://hostwhm.hostname.tld/webmail as an entrypoint ?

    Perhaps a special account, which can be used for certain functions.
    Such a location will be also needed to place custom XML files for autodiscover/autoconfig.
     
    #6 lorio, Dec 16, 2013
    Last edited: Dec 16, 2013
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You can modify the settings under the "Redirection" tab in "WHM Home » Server Configuration » Tweak Settings". In particular, this option:

    SSL redirect destination

    Also, you mentioned the entry point or the URL used to access Webmail. What error message do you receive when accessing it directly through that URL?

    Thank you.
     
  8. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I am familiar with these settings.

    If you choose
    "Always redirect users to the SSL/TLS ports and certificate hostname when visiting /cpanel, /webmail, etc."
    you don't be able to change anything. And that is correct. If you only want to use a wildcard cert for the whole hostserver you don't want to redirect to the customer domains.

    Which entrypoint? Sorry.
    If you have installed a wildcard on the apache installation (which is not recommended) you will get a redirection to the ports 2096 /2083 when entering https://whm.hostserver.tld/webmail or /cpanel.

    I don't see an config problem. The proxy solution to prevent portusage 2083 / 2096 is not available for the whmhost.whmserver.tld . If I take the developer point of view in account, they have to keep in mind that you can have more that one server under the same domain.tld. If you have host1.whmserver.tld and host2.whmserver.tld you cannot choose the proxysolution of webmail.whmserver.tld .

    The question to me is: Is it possible to show a login screen for services on https://host.whmserver.tld :)443).
    Why not? What are the concerns?

    Thanks for your time.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page