Domain TLS not working for IMAP & POP3

carock

Well-Known Member
Sep 25, 2002
266
8
168
St. Charles, MO
My account SSL certificates are not working on these services anymore. The server recently upgraded to version 74 but I'm not sure if one has anything to do with the other.

When I connect using a mail client or with an openssl s_client test, only the server hostname certificate is presented. This is causing my mail clients to claim the connection is not secure because the cert name doesn't match.

How can I troubleshoot the Domain TLS system? I don't see any documentation about it other than what it does.

The actual domain is mail.schickerautomotive.com and the SSL Status page is good for that name using an AutoSSL cert.

My iPhone gives an error connecting to an E-mail account and I verified with this test.

openssl s_client -servername mail.schickerautomotive.com -connect mail.schickerautomotive.com:143 -starttls imap

The cert presented is for the hostname of the server, not the address entered in the test.

Same result for this connection test too.

openssl s_client -servername mail.schickerautomotive.com -connect mail.schickerautomotive.com:110 -starttls pop3

The SMTP certificate presented is the correct cert when I use smtp and port 25 in the command above. So that is working.

Any ideas?

Thanks,
Chuck
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
Are you sure a certificate for Dovecot exists for mail.schickerautomotive.com?

cat /etc/dovecot/sni.conf | grep "local_name.*mail.schickerautomotive.com"
 

carock

Well-Known Member
Sep 25, 2002
266
8
168
St. Charles, MO
I ended up starting a ticket with cPanel. It looks like when the server updated to version 74 cPanel, it put the server hostname certificate in place where the other was.

They put the original cert back and my connections are happy again.

This may be something they will fix or find a way to tell us if it affects the server when the update happens.

It may also be something unique I have because of my server configuration and doesn't affect anyone else.

I'll find out when the other cPanel servers I have update.

Thank you for helping. I'm going to look into your information as well.

Chuck

Are you sure a certificate for Dovecot exists for mail.schickerautomotive.com?

cat /etc/dovecot/sni.conf | grep "local_name.*mail.schickerautomotive.com"
 

cPanelLauren

Technical Support Community Manager
Staff member
Nov 14, 2017
13,304
1,247
313
Houston
Hi @carock

Can you please share the ticket ID here so I can check in on it? I do know that we filed a case on this behavior today CPANEL-22289 as we have seen it occur on a few other servers as well.


Thanks!
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
I ended up starting a ticket with cPanel. It looks like when the server updated to version 74 cPanel, it put the server hostname certificate in place where the other was.
Thanks for sharing this. I see stuff like this happening a lot. A cPanel release won't have a major bug or issue found until it reaches RELEASE. This is one reason why I always hold back on updating to the latest version of cPanel. I was just about to start upgrading our servers to cPanel 74 today, but I think I'll wait and see if this is a bug that needs to be fixed in a new cPanel 74 release.
 

carock

Well-Known Member
Sep 25, 2002
266
8
168
St. Charles, MO
tickets ID# 10117047

The file that sparek-3 pointed me at was the correct one. That file is where Dovecot has it's certs and keys for the SNI TLS connection.

The file on this server only had the main server cert setup and no Domain TLS entries in it below.

The cPanel staff fixed it by puting my relevan domain certs in the main server file, but comparing that file with other servers showed me what went wrong.

I "fixed" the file so it was back to it's original format and all the connections to the hostname and account domains are working perfectly.

This was the file after the upgrade and broken.

-------------------------------------------------------
# DO NOT MODIFY THE NEXT LINE:
# This version of dovecot supports: wildcards, multi local_name, explict maincert local_name.

# Main cert for SNI

local_name "cpanel-99.mcgraphics.cc www.cpanel-99.mcgraphics.cc" {
ssl_cert = </etc/dovecot/ssl/dovecot.crt
ssl_key = </etc/dovecot/ssl/dovecot.key
}

# END - Main cert for SNI

# Domain TLS
# End Domain TLS
---------------------------------------------------------

This is what it's supposed to look like.

---------------------------------------------------------
# DO NOT MODIFY THE NEXT LINE:
# This version of dovecot supports: wildcards, multi local_name, explict maincert local_name.

# Main cert for SNI

local_name "cpanel-99.mcgraphics.cc www.cpanel-99.mcgraphics.cc" {
ssl_cert = </etc/dovecot/ssl/dovecot.crt
ssl_key = </etc/dovecot/ssl/dovecot.key
}

# END - Main cert for SNI

# Domain TLS
local_name "mail.schickerautomotive.com mail.oneownervehiclesonline.com oneownervehiclesonline.com www.oneownervehiclesonline.com" {
ssl_cert = </var/cpanel/ssl/domain_tls/mail.schickerautomotive.com/combined
ssl_key = </var/cpanel/ssl/domain_tls/mail.schickerautomotive.com/combined
}
# End Domain TLS
---------------------------------------------------------
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
Do you perhaps need to run

/scripts/build_mail_sni

Although, it would be interesting to know if the SNI entries are being removed in cPanel 74, and if so, why?

A test server I have that is running cPanel 74 also has an empty domain list in /etc/dovecot/sni.conf - although I can't personally vouch for it that it was populated correctly prior to being upgraded to cPanel 74.