The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IMAP / POP3 / SMTP via SSL

Discussion in 'E-mail Discussions' started by netwrkr, Jun 16, 2003.

  1. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    I just replaced the default cPanel SSL self signed cert with a trusted geo cert. Now when I grab email via imap/s or pop3/s it doesn't annoy me with a 'this is not a trusted certificate' blah warning. However, when I send mail that message appears -- for some reason smtp/s is still using the self signed cPanel created certificate.

    Seems like a bug. Anyone else seen this?

    TP

    cPanel.net Support Ticket Number:
     
  2. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    heh

    update /etc/exim.crt and /etc/exim.key with the same certificate you use for your webserver.

    cPanel.net Support Ticket Number:
     
  3. Wako

    Wako Member

    Joined:
    Jan 1, 2003
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Are you able to send /receive email using the cert for your webserver which is the name of the server or the secure site?
     
  4. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    We did all of that, but we are still getting the error on SMTP...

    any ideas ?
     
  5. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I updated the exim.crt and exim.key files, chown'd them to mailnull, chgrp'd them to mail, chmod'd them to 600, and restarted exim - Yet I am still getting the error, "terminated in a root certificate which is not trusted by the trust provider."

    What else might I try? POP3 SSL works fine.
     
  6. TerraSpeed

    TerraSpeed Member

    Joined:
    Jul 21, 2003
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Update /usr/local/cpanel/etc/cpanel.pem
     
  7. mpierre

    mpierre Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    196
    Likes Received:
    0
    Trophy Points:
    16
    Sorry, I still get the error...

    I copied my key and crt files /etc/exim.crt and /etc/exim.key into a blank cpanel.pem so that the values are replaced with my own.

    I restarted exim and CPpop, but I still get the error...
     
  8. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    I've never been able to get rid of the warning.

    Updating /etc/exim.crt and /etc/exim.key with the server crt en key doesn't make any difference.

    Do we have to do something with the CA bundle?

    I hope someone will come forward with a definite solution :)
     
    #8 jamesbond, Dec 8, 2003
    Last edited: Dec 8, 2003
  9. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Below are the responses I got from cPanel technical support (Darren). In short, he says that each of my clients would have to install the CA bundle for my InstantSSL/Comodo SSL certificate in their mail client software to avoid the error. I don't even think you can do that with Outlook Express. I know of other providers who work fine with SSL SMTP - no errors, however they are using a Thawte SSL cert. My theory is that it has to do with the SSL company -- is yours InstantSSL or Thawte or another? Thanks!

    Here are the responses from Darren:

    Response #1:

    Hello,

    Is the CA for your cert set up in your mail client ? It looks like an InstantSSL/Comodo chained cert which may need you to explicitly set the certificate authority up in your mail clients.

    root@host [~]# openssl s_client -connect 64.191.119.150:465
    CONNECTED(00000003)
    depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
    0 s:/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
    ---
    ...
    subject=/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    issuer=/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1468 bytes and written 314 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
    Server public key is 1024 bit
    SSL-Session:
    Protocol : TLSv1
    Cipher : DES-CBC3-SHA
    Session-ID: C40F7FA2F4A343948B602AAA4A359FA36A435E3393481D97BC9FE005CD09DDC0
    Session-ID-ctx:
    Master-Key: 72101C3B00C2296C52585D2D1B2D95F1B7039AC95E730BE6D6AE7153ACB679C7EEDB2742D3D229157180905E7888E0D4
    Key-Arg : None
    Start Time: 1070060831
    Timeout : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    ---
    220-z.peruda.com ESMTP Exim 4.24 #1 Fri, 28 Nov 2003 15:07:18 -0800
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.


    I'm not aware of a CA file for Exim like apache has (the CA bundle that can be sent to a client automatically to let ssl clients know who to ask). Does it still give you the error if the CA bundle from comodo has been added to the clients CA list ?

    Thanks,
    Darren



    --------------------------------------------------------
    Response #2:

    Hello,

    POPS (995) is cppop wrapped by stunnel, where as SMTPS (465) is directly handled by exim.

    : openssl s_client -connect 64.191.119.150:995
    CONNECTED(00000005)
    depth=2 /C=US/O=GTE Corporation/CN=GTE CyberTrust Root
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
    0 s:/C=US/2.5.4.17=98111/ST=WA/L=Seattle/2.5.4.9=PO Box 1293/O=Peruda Multimedia/OU=Web/OU=InstantSSL/CN=z.peruda.com
    i:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
    1 s:/C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and Conditions of use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo Class 3 Security Services CA
    i:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
    2 s:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
    i:/C=US/O=GTE Corporation/CN=GTE CyberTrust Root


    Stunnel can handle sending a CA bundle as defined in the stunnel config file.

    Thanks,
    Darren
    --

    ----- Original Message -----
    From: John Hoover
    To: Eric G.
    Sent: Friday, November 28, 2003 8:18 PM
    Subject: Re: [cPanel tickets ID# 30092]


    Thanks to Darren very much for the reply -- I just have one question. Perhaps I'm missing something, but why would we have to configure the cert's CA in the mail client, when it works fine with SSL POP3 (port 995)? Internet Explorer accepts the CA without questions, as does Outlook/Outlook Express with POP3/995 - It's only with SMTP/465 that it questions the certificate's authority.

    Thanks again.
    John Hoover
    Peruda Networks LLC
    john@peruda.com
    www.peruda.com
    1.877.7.PERUDA
     
  10. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
    Darren's right. It doesn't work with comodo certs. I have tried it on multiple computers. It does not work even if you install the cert on the local computer. Your best bet is to use Geotrust (from ev1servers for $25) instead. I can verify that those certs work. Plus comodo customer service sucks.
     
  11. jamesbond

    jamesbond Well-Known Member

    Joined:
    Oct 9, 2002
    Messages:
    738
    Likes Received:
    1
    Trophy Points:
    18
    Ahhh...that explains it..I'm indeed using an InstantSSL cert.
    Ok I guess I'll switch to Geotrust then.


    Thanks for the info!
     
  12. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Let me know if the GeoTrust SSL works well . . . (Or have you tried it already?) I guess Thawte's prices have gone up since the last purchase I made with them - apparently a 1 year cert is $199, so I guess GeoTrust is a bit cheaper at $149.

    Anyway, I would be curious to know how that goes if you end up doing that.

    Thanks!
    -John
     
  13. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Whoops - forget about my last post. I obviously hadn't read Casey's. I am wondering how ev1servers can sell GeoTrust certs for only $25, when they go for $159 at geotrust.com? Do they just get a really great reseller deal for their volume? Weird. . .

    -John
     
  14. cwhcom

    cwhcom Registered

    Joined:
    Jan 7, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hi, may I ask which files exactly did you edit to accomplish this and what services you may have to restart? I tried putting my Geo Cert in some files, but they must not be the right ones becuase I still get the annoying 'this is not a trusted cert' mess when checking email through IMAP.

    Thanks
     
  15. netwrkr

    netwrkr Well-Known Member

    Joined:
    Apr 12, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Re: Re: IMAP / POP3 / SMTP via SSL

    I updated /etc/exim.crt and /etc/exim.key then restarted exim.
     
  16. r2d3

    r2d3 Member

    Joined:
    Jul 5, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    If you pay to have an X509 certificate signed by a trusted CA like GeoSign, what host name do you use for the certificate?

    If you use the host name of the server then do you not still get an alert each time (using HTTPS or IMAP / POP3 / SMTP via SSL). I would have expected the annoying alerts to appear because a virtual server accessing a website over SSL, or email over SSL, using theirdomainname.com is never going to be the same as the host name of the server - ie. hostname.whatever.com).

    IE alert:
    "The name on the security certificate is invalid or does not match the name of the site"

    Outlook alert:
    "The certicate you are using could not be verfied.. etc"

    Has anyone solved this problem? The only solution i can think of is to allocate one IP address per virtual server and generate a certificate for each - which would be very inefficient and expensive if going down the CA route.

    Any advice would be really appreciated

    thanks
     
  17. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    r2d3 - You need to use the hostname that cPanel is configured for and then have your clients use that for POP3/SMTP etc. Although I am still having trouble sending with SMTP . . . I will post another reply with the details.
     
    #17 peruda.com, May 18, 2004
    Last edited: May 18, 2004
  18. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    I finally upgrade to a GeoTrust cert through ev1servers, and much to my dismay, I am still having the same problem with it "not terminating in a trusted root certificate" when sending mail!!! I have tried port 25 and port 465. Is anyone still having this trouble, or did moving to GeoTrust really fix it?

    Thanks!
     
  19. r2d3

    r2d3 Member

    Joined:
    Jul 5, 2003
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    peruda, you will need to update the key and X509 certificate manually as cpanel does not do this for you.

    To do this go edit these 2 files using a text editor:

    /etc/exim.crt - x509 certificate
    /etc/exim.key - private key

    Thanks for your response to my post but that is not a good solution for me. For many reasons it is not a good idea for the client to refernce the host directly because it prevents me from moving clients accounts onto different servers - for security and performance reasons. Currently i can switch them between several servers within a couple of minutes should the need arise - which it does - (by altering the DNS settings and using cpanels mulptiple transfer options).

    If the client is using the host name - or of course even worse the ip address - then there will be problems. I will get support emails and have a bad day ..

    Does anyone know a way around this? As I already mentioned it is not practical to allocate each account a dedicated IP adrdess just to ensure the name on the X509 certificate matches the FQDN / host name being accessed over SSL.

    Does anyone think this would work? I set myself up as a CA and get my ordinary medium level of trust certificate in the name of the host/server certified by GeoTrust or equivalent. Then i generate a key pair for every client and use the servers private key (which is now certified) to sign ceryificates for each client. Then, when a client requests an SSL connection to the server, even though they uise a shared IP address i somehow get the server to respond with the appropriate SSL certificate (i'm not sure how to do this bit yet) - with of course the correct hostname and as usual the rest of the certificate chain - the next one being the one for the server - and upwards to the root CA which of courses we all trust bcs the application / OS trusts it for us. Problem solved??

    All suggestions welcome :)
     
    #19 r2d3, May 18, 2004
    Last edited: May 18, 2004
  20. peruda.com

    peruda.com Well-Known Member

    Joined:
    Aug 23, 2003
    Messages:
    46
    Likes Received:
    0
    Trophy Points:
    6
    Thanks r2d3 . . I fixed it. I had already tried updating /etc/exim.key and /etc/exim.crt but come to find out, there was a discrepancy between the WHM certificate and the exim.crt certificate. It works now that that is fixed!

    I can see how it would be handy for you to have all clients use there own domains for sending and receiving e-mail so you can switch them from box to box. At the moment, I am keeping to a centralized model mainly so I can use the one SSL certificate for everyone's secure mail. I don't have a lot of clients, so I basically have just one box with one backup.

    It looks like you might need to get the GeoTrust "Enterprise SSL" product: http://www.geotrust.com/enterprise_security/enterprisessl.htm


    Thanks again.
     
Loading...

Share This Page