Gmail email from cPanel via POP

[Tom Risager]

I am having issues configuring Gmail to retrieve emails from our cPanel server using POP. Using the un-encrypted port 110 works very nicely, but when I try to switch to the SSL secured port 995, Gmail tries for a while and then gives up and reports a communications issue, suggesting there may be a misconfiguration on the server side.

The strange thing is, it works flawlessly when I configure Mail on my Mac for POP over port 995 using the exact same credentials, server names etc.

I have access to WHM and root access via SSH, but I'm somewhat at a loss as to what is going on here and how to troubleshoot. Any help would be greatly appreciated.

 

[ThinIce]

Just a thought, but is your hostname cert (the one used in courier / dovecot) self signed?

I think google started to refuse to connect to self signed services late last year.

- - - Updated - - -

http://it.slashdot.org/story/12/12/17/2323207/gmail-drops-support-for-connecting-to-pop3-servers-with-self--signed-certs

Worth reading purely for

You've now posted several times that self signed certs are useless and provide no security, in fact they lower security (from what baseline I must ask?)

So I would make a little bet with you. I will put up $100,000, my testicles in a jar with a small plaque saying "These balls once belonged to a fool." You will put up $10,000 plus any required travel expenses to carry out the wager. The terms of the wager are that I will provide a client and a server system. The server will have a self signed certificate. You will provide the networking equipment of your choice as well as any device(s) you so desire to place in between my client and server. I will make an SSL connection from my client to my server. Your job is to MITM the connection without my being able to detect said MITMing. Note that I am allowing you to build the entire network connecting my two devices, only requirement being that it be standard ethernet. Additionally you do not get to tamper with my equipment, this is about the security of self signed certificates, not whether you can literally or metaphorically crowbar open my systems and install a keylogger to capture the passphrase of my private SSL keys.

How about it? You game? I can always use an extra $10,000.

 

[Tom Risager]

Thanks for your response, but no - the Dovecot cert is issued by RapidSSL and it is valid. As far as I can tell it is correctly installed, at least Mac Mail does not complain, and external certificate testers show that everything is good.

 

[cPanelMichael]

Hello

Upon testing, I was able to successfully receive email via POP through GMail over port 995. Do you notice any specific failures in the /var/log/maillog on your server, or are there any firewalls on your system that could be blocking the connection from Google?

Thank you.

 

[Tom Risager]

Thanks for taking the trouble of testing this for me

I finally got it to work with a test email address, by using a different name for the POP server in Gmail. These are the secure settings from cPanel:

Username: [email protected]
Password: Use the email account’s password.
Incoming Server: web01.ourserver.dk
POP3: Port 995
​

This works with Mac Mail, but not with Gmail. The error message in Gmail is "Connection timed out: There may be a problem with the settings you added. Please contact your other email provider to verify the correct server name and port." There is no entry in /var/log/maillog.

These are the insecure settings:

Username: [email protected]
Password: Use the email account’s password.
Incoming Server: mail.somedomain.dk
POP3: Port 110
​

These work fine in Gmail.

Now, if I use the secure settings with the "Incoming Server" name from the insecure settings, using POP in Gmail works. I.e. this is the combination that works:

Username: [email protected]
Password: Use the email account’s password.
Incoming Server: mail.somedomain.dk
POP3: Port 995
​

So basically we have a solution that works, except our customers cannot configure Gmail POP themselves based on the information displayed in cPanel.

I'd still love to understand why the secure settings work fine on my Mac, but not in Gmail. Disabling CSF temporarily on the server makes no difference, so I don't see this as a firewall issue.

 

[cPanelMichael]

The settings provided in cPanel are actually the correct ones that should be used in an email client. The mail server name should match the name of the certificate that is installed for the mail server. You may need to consult with Google directly to determine why they are requiring those alternate settings.

Thank you.

 

[Tom Risager]

Reported this to Google support on my Google Apps account. It appears to be a problem with IPv6 support on my cPanel servers.

Referring to my example settings above, I had created an AAAA record for web01.ourserver.dk, and Gmail was using that IPv6 address when trying to contact the POP server. This does not work. The workaround was to remove the AAAA entry, forcing Gmail to connect over IPv4.

Is POP access over IPv6 supported on cPanel, or is it still TBD? I.e. is there any point in creating a support ticket over this?

Thanks,
Tom

 

[cPanelMichael]

Full IPv6 compliance is not implemented across cPanel/WHM at this time. You can find the most recent update on it's implementation at:

IPv6 Update

Note that Dovecot itself does support IPv6 if that is the mail server you are using, however using IPv6 for mail purposes is not officially supported yet.

Thank you.

 

[JacobHansen]

Hi,

If anyone is interested I simply changed: /etc/dovecot/dovecot.conf to allow IPv6 acess as such:

inet_listener pop3 {
address = *,[::]
}
# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
inet_listener pop3s {
address = *,[::]
}
}

inet_listener imap {
address = *,[::]
}
# IP or host address where to listen in for SSL connections. Defaults
# to above if not specified.
inet_listener imaps {
address = *,[::]
}
}

Seems to be working just fine, although cPanel do not support it yet officially. Hopefully next time

 

[JacobHansen]

While the resolution posted in my previous reply works. cPanel seem to edit this file at every update. cPanel seems to have some template system which is used to restore a configuration on every update. I've have a look at this but have not been able to figure out how to get it to work properly.

Is there anyone who could lend a hand?

 

[cPanelMichael]

You can edit the following file for local modifications to the Dovecot configuration:

/var/cpanel/templates/dovecot2.2/main.local

Note: You can copy this file from /var/cpanel/templates/dovecot2.2/main.default if it does not exist. After making the custom modifications, you must run:

/scripts/builddovecotconf

Thank you.

 

[storminternet]

A same error is happening while importing email to gmail via secure pop port 995.

- ERROR -
Unable to establish secure SSL connection
I can connect to POP,IMAP Port 110, 143 via telnet but when tried to connect via 995 there is no response. SSL from trusted ssl authority is already installed on server hostname.

Any help is appreciated.

Further to add port 993,995 are opened in csf.

 

[cPanelMichael]

Have you tried contacting Google's support team to help determine the cause of the problem?

Thank you.

 

[arjene]

this option is just killed by update: 1.45.9x 11.46:
Fixed case 127357: Ensure Dovecot starts by default without ipv6 kernel module.

this fixed ? just killed all ipv6 support in dovecot and a main.local with enbabled ipv6 is not working anymore.
why is cpanel not ipv6 minded ?

You can edit the following file for local modifications to the Dovecot configuration:

/var/cpanel/templates/dovecot2.2/main.local

Note: You can copy this file from /var/cpanel/templates/dovecot2.2/main.default if it does not exist. After making the custom modifications, you must run:

/scripts/builddovecotconf

Thank you.

 

[cPanelMichael]

You can actually enable or disable IPv6 for Dovecot natively using the following interface:

"WHM Home » Service Configuration » Mailserver Configuration"

Simply enable or disable the "IPv6 Enabled" option.

Thank you.