Email - best way to setup?

[morrow95]

I have CSF on my server and just recently noticed the new warning about pop before smtp / Antirelayd. I had this enabled for whatever reason in the past. I did some research and found out what it was and does and went ahead and disabled it. This got me looking into some other settings with my email.

Here is an example setup for an email account on the server right now.

server : server.servername.com

email address : [email protected]
pop mail server : mail.example.com on port 110
smtp server : mail.example.com on port 25

smtp auth is enabled as antirelayd is disabled.

To be honest I have always had my accounts setup like this as long as I have had a server. Would it be advised to use ssl for both sending and receiving on 995 and 465? I actually tested this with smtp and received a certificate popup (just have the self signed on the server now), but was able to send it.

With that comes a few other questions :

- If a buy an ssl cert for mail then can I still use the same mailserver setup mail.example.com for each domain or will I need to use my servername for all domains?

- Is it possible to force ssl for all mail connections? I assume this would prevent attempts on hacking any mail accounts a little more.

- Will this have any affect on script email? For example, a php script on a website that sends mail to myself (contact form) comes from [email protected] (suphp running).

- I only host my own sites on this server - is an ssl cert for mail even necessary really?

- I recently noticed emails from any of my server domains to gmail accounts are being sent to the gmail spam folder. Yes, I have DKIM and SPF working properly. PTR and RDNS is setup properly as well. SMTP auth is also in effect. Would sending with ssl have any affect on this or 'help' at all?

Thanks for any information, this is just one of those things I knew was available, but never really cared over the years as it worked the way it was.

 

[cPanelMichael]

Hello

1. You will need to use the certificate name in your email client, as it should match the hostname used for the installation via:

"WHM Home » Service Configuration » Manage Service SSL Certificates"

2. This is easier if you use Dovecot. You can disallow plaintext authentication via:

"WHM Home » Service Configuration » Mailserver Configuration"

Per the description:

This setting will allow remote email clients to authenticate using unencrypted connections. When set to 'no' only connections originating on the local server will be allowed to authenticate without encryption. Setting this to 'no' is preferable to disabling IMAP in the 'Protocols Enabled' section since it will force remote users to use encryption while still allowing webmail to function correctly.

For Exim, browse to the "Security" tab in "WHM Home » Service Configuration » Exim Configuration Manager" and enable "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server."

3. This depends on how the email is being sent from the script. If it's not using SMTP authentication, then the settings you configure for email authentication should not make a difference in the ability of the script to send emails.

4. It's not required. It's really a matter of personal preference on if you want plaintext transmission of authentication details.

5. That is likely a separate issue, and utilizing SSL for email authentication would not likely make a difference.

Thank you.

 

[morrow95]

Thanks. I got an ssl cert for my server hostname (server.host.com) and set it up for all services. I am running into a few problems I can't figure out or maybe they are not possible.

Email for example... I am now using port 995 to receive and 465 to send with the ssl setup. My mailservers are in the format mail.example.com. I am getting an error (I use Thunderbird, but shouldn't make a difference) that the site attempts to identify itself with invalid information - Wrong Site. The cert is correct of course since it shows my server.host.com address, but it is the mailserver I guess which does not match up with this. Is there a way around this issue? Should I have gotten a wildcard cert for the server hostname? There must be a way to change this other than just accepting the cert warning.

Second question - I enabled forcing of ssl by turning on "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server". I was under the assumption this would prevent email through ports 25 and 110, however, I can easily receive email on port 110 still. As for sending email on port 25 I get an smtp auth error now. Yes port 25 has always been open through CSF as well as my ISP. This error never happened before. Is this all working correctly - are the non-ssl ports always open and its just the decision of the person using the email client? If so, why the new error sending on the non-ssl port 25 all of a sudden?

I also have csf installed so I guess I can just block ports 25,26,110,143, however, I was curious as to what the forcing option really does is I can still access.

 

[cPanelMichael]

My mailservers are in the format mail.example.com. I am getting an error (I use Thunderbird, but shouldn't make a difference) that the site attempts to identify itself with invalid information - Wrong Site. The cert is correct of course since it shows my server.host.com address, but it is the mailserver I guess which does not match up with this. Is there a way around this issue? Should I have gotten a wildcard cert for the server hostname? There must be a way to change this other than just accepting the cert warning.

You will need to configure your email client to use the hostname of the server if that's what you used for the SSL certificate. It's not possible to install a service certificate on a per-domain basis at this time.

I enabled forcing of ssl by turning on "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server". I was under the assumption this would prevent email through ports 25 and 110, however, I can easily receive email on port 110 still. As for sending email on port 25 I get an smtp auth error now. Yes port 25 has always been open through CSF as well as my ISP. This error never happened before. Is this all working correctly - are the non-ssl ports always open and its just the decision of the person using the email client? If so, why the new error sending on the non-ssl port 25 all of a sudden?

The "Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server" option is for SMTP purposes. It does not alter the behavior of POP3 or IMAP. It will not allow you to use port 25 because it's not the SSL port for sending. Instead, you should use the secure port (465) for sending.

Thank you.

 

[morrow95]

Thanks Michael... that explains the force ssl much better as I was getting a different story from other folks.

I tried using the server hostname on the other services including mail and ftp specifically. If I use the server for ftp for example... it is the username that determines what domain on the server to login to. What if you have the same username on multiple domains in the server? How do you differentiate username 'joe' from example.com and the same username 'joe' from example2.com? Two different domains, same username, but two 'different' users altogether.

I had an issue with receiving email this morning, but it appears a restart of exim and pop did the trick - all is working fine using the server hostname for email now.

Last questions and I know this is not directly cpanel related, but many of us use it. CSF...if I want to block access to only secure email would I just block incoming tcp ports 25,110,143 in the firewall. Does this have any effect on people 'sending' me email? I thought this was correct and I added this last night - of course, this morning I had this issue and reverted back. For all I know this could have been one of the problems causing the email issue this morning.

 

[cPanelMichael]

You can only use a single username for FTP if it's the cPanel account username. You are required to login with the full virtual FTP username when accessing FTP. EX:

[email protected]

Attempting to use just the username part of a virtual FTP account will result in an authentication failure.

The following guide should be helpful in determining which ports you can open, and whether you should allow inbound/outbound connections:

Getting the most out of your system firewall

Thank you.