Dovecot SSL config issue

tjmoore

Member
Jun 23, 2005
19
0
151
Hello,
I have just deployed a new server to replace my old server which has been running for a little over 5 years without issue!

During the change I elected to use Dovecot rather than Courier - the problem now, is that when you connect using SSL I get an SSL error:
Unable to establish a secure connection to mail.mydomain.com.

It has something to so with the self assigned SSL certificates I think - I have tried installing a Geotrust SSL, but I then get a domain mismatch error.

The Dovecot SSL is assigned to my hostname (server.myserver.com) and I'm connecting to mail using mail.mydomain.com

Is this correct, or do I need an SSL for every domain that connects to Dovecot ??

Thanks.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello :)

It's normal to see the domain mismatch message if you connect to your mail server using a different hostname than what's used for the SSL certificate. The best way to avoid that message is to connect using the SSL certificate name.

Thank you.
 

tjmoore

Member
Jun 23, 2005
19
0
151
Thanks, so if I setup an SSL for mail.myserver.com and connect to mail using mail.myserver.com will that work ?

EDIT: just tried the above, doesn't work - domain mismatch error again. So do I have to setup an SSL for every domain that connects ?!
 
Last edited:

lorio

Well-Known Member
Feb 25, 2004
313
20
168
cPanel Access Level
Root Administrator
Thanks, so if I setup an SSL for mail.myserver.com and connect to mail using mail.myserver.com will that work ?EDIT: just tried the above, doesn't work - domain mismatch error again. So do I have to setup an SSL for every domain that connects ?!
The Services like :
cPanel/WHM/Webmail Service
Dovecot Mail Server
Exim (SMTP) Server
FTP Server

are using the hostname of your WHM server.

If you want to connect with mail.myserver.com you have to use a signed certificate for mail.myserver.com.

If you have a single SSL cert it is usallly for www.myserver.com / myserver.com. You can buy a wildcard certificate which is working for *.myserver.com. The * is a placeholder. so mail/webmail/cpanel/www/ftp are all protected with one cert.


If you have a few accounts on your server, the real problem is, that you cannot transfer accounts when your users are using SSL for Emails. Since the hostname is configured in the mailclients a accounttransfer means they have to change the hostname on every account on every device.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Please keep in mind that certificates for services such as Dovecot are manged via:

"WHM Home » Service Configuration » Manage Service SSL Certificates"

You should not receive a domain mismatch error if you are connecting to the mail server with the SSL certificate name from the above option configured in your email client.

Thank you.
 

fsw_1

Registered
May 14, 2014
1
0
1
cPanel Access Level
Root Administrator
Hello I have a similar issue.

I don't know if I understood the answer correctly.

Not every customer wants to buy an ssl certificate for their domain. But I can also understand that the customers are confused when they get a pop up warning when logging in their control Panel or webmail. To avoid these conversations with customers, we are looking for a global solution.

So if I get an ssl certificate for: server.hostname.com - will the ssl Warning not appear anymore?

I am kind of struggling with this. Because I saw that the company thawte has an SSL Certificate - for Webserver
and in there it says: "Create a secure, private connection between a web browser and web server, including gateways, web forms, mail and FTP servers, and VPNs with up to 256-bit SSL encryption"

Now I am confused, do we need a normal ssl Certificate or a Webserver Certificate for our Cpanel customer Accounts, so that they don't get the popup Browser Warning?

Can someone please help me to get this issue handled? If there was a url for each cpanel Customer login link, what would this url look like? How do other hosting companies handle this issue?

I hope someone can help.

thank you