cPanel / Webmail without nonstandard ports but with SSL

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
Since Cpanel thinks this old thread is outdated:
http://forums.cpanel.net/f5/ssl-access-webmail-without-using-port-2096-signed-wildcard-hostservercert-227211.html


When using e.g. www.customermail.tld/webmail you can get a screen:

"Connection Selection ..."

If you are not behind a firewall that blocks port 2096
Enter Here https://host.whmdomain.tld

If you are behind a firewall and can not connect to port 2096
Enter Here https://webmail.customerdomain.tld

Problem is that if the port is blocked you are redirected to the local domain with https.
So without the port there is no proxydomain for the hostdomain which would use the wildcard ssl cert.

That situation is unchanged for years.

What missing is a way to redirect to a account which just provides proxydomains covered by the wildcard cert of the host.

Since the same problem is with cpanel webdisk etc. I wonder why nobody seems to have a problem with this. Are customers eager to pay for their own ssl cert but to get told EXIM,Courier,Dovecot are not accessible via your cert. You have to use the host cert.

Accessing controlpanel and webmail without special ports is important. SSL a must. If you get your customer to pay for a cert they don't want to use or remember a different domainname as mailserver.

The current situation is incoherent in more than one way.

Subdomains are not able to use SSL. See feature request
http://features.cpanel.net/responses/add-option-to-redirect-webmail-subdomain-to-hostname-instead-of-origin-domain-name

But since EXIM,Dovecot,Courier are not currently able to use customer domains as proxy with certs of customers it is a long way to go. To provide a way to access webmail via standardport and SSL via a wildcardcert of the host looks like a shorter way to get a least one way consitent.
 
Last edited:

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
Michael, seems you're everywhere. Thanks for your effort. I have no problems opening a feature request. We had some threads about relating or similar topics before. Not sure if the wording and explanation of the problem prevented any traction in the userbase or if nobody is needing that featureset. Hope to find enough people here in the forums which care about that problem today. Might help to get a better feature request.
 

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
For TL;DR: Is there a way to allow a customer/user to access webmail via standard ports via SSL/TLS with only a wildcard cert for the whole server? customerdomain.tld/webmail has the firewalldetection screen but if nonstandard ports are blocked a cert for the account is needed.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
For TL;DR: Is there a way to allow a customer/user to access webmail via standard ports via SSL/TLS with only a wildcard cert for the whole server? customerdomain.tld/webmail has the firewalldetection screen but if nonstandard ports are blocked a cert for the account is needed.
Are you referring to port 2096? If so, that port is accessible with the standard SSL certificate that's installed for the cPanel/WHM/Webmail service in:

"WHM Home » Service Configuration » Manage Service SSL Certificates"

A wildcard certificate is acceptable, but most users prefer to install it for the hostname of the server to ensure there are no certificate warnings.

Thank you.
 

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
A wildcard certificate is acceptable, but most users prefer to install it for the hostname of the server to ensure there are no certificate warnings.
I only want to use the installed wildcard for the hostserver. The problem are the nonstandard ports.

With standard port I meant the ports no corporate firewall is blocking. 208X und 209X are mostly blocked.
We could say standard is 443 for SSL/TLS .

Why isn't it possible to have https://hostwhm.hostname.tld/webmail as an entrypoint ?
Currently the rerouting for enforcing SSL when accessing customerdomain.tld/webmail is:

If you are behind a firewall and can not connect to port 2096 :
https://webmail.customerdomain.tld
(you will need an additional signed cert to prevent browser problems)

If you are not behind a firewall that blocks port 2096
https://hostwhm.hostname.tld:2096
Wildcard Cert will be used. But users with corporate/public firewalls cannot access it.

Why isn't it possible to have https://hostwhm.hostname.tld/webmail as an entrypoint ?

Perhaps a special account, which can be used for certain functions.
Such a location will be also needed to place custom XML files for autodiscover/autoconfig.
 
Last edited:

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
You can modify the settings under the "Redirection" tab in "WHM Home » Server Configuration » Tweak Settings". In particular, this option:

SSL redirect destination

Also, you mentioned the entry point or the URL used to access Webmail. What error message do you receive when accessing it directly through that URL?

Thank you.
 

lorio

Well-Known Member
Feb 25, 2004
298
14
168
cPanel Access Level
Root Administrator
SSL redirect destination
I am familiar with these settings.

If you choose
"Always redirect users to the SSL/TLS ports and certificate hostname when visiting /cpanel, /webmail, etc."
you don't be able to change anything. And that is correct. If you only want to use a wildcard cert for the whole hostserver you don't want to redirect to the customer domains.

Also, you mentioned the entry point or the URL used to access Webmail. What error message do you receive when accessing it directly through that URL?
Which entrypoint? Sorry.
If you have installed a wildcard on the apache installation (which is not recommended) you will get a redirection to the ports 2096 /2083 when entering https://whm.hostserver.tld/webmail or /cpanel.

I don't see an config problem. The proxy solution to prevent portusage 2083 / 2096 is not available for the whmhost.whmserver.tld . If I take the developer point of view in account, they have to keep in mind that you can have more that one server under the same domain.tld. If you have host1.whmserver.tld and host2.whmserver.tld you cannot choose the proxysolution of webmail.whmserver.tld .

The question to me is: Is it possible to show a login screen for services on https://host.whmserver.tld :)443).
Why not? What are the concerns?

Thanks for your time.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter