Mail Client config section gives wrong info for SSL

[4u123]

Hi folks, I noticed today that when a customer chooses the "Configure Email Client" option in cpanel, the resulting page "clientconf.html" displays incorrect information about the SSL server hostname.

We use a basic naming convention for our servers similiar to this...

server001.domain.com
server002.domain.com

And we run a wildcard certificate for the cpanel service certificates - i.e *.domain.com

So the server's hostname is always covered by SSL for the relevent services.

Unfortunately, cpanel hasn't picked up on that and on all our servers, the info provided to the customer for them to connect via ssl is...

mail.domain.com

Which is of course completely incorrect and causes confusion for the customers. In fact, it's pretty ridiculous as it seems to suggest that a unique SSL certificate should be set up for each server individually. I'm not sure why it adds the "mail" prefix.

I am going to make the assumption that the way we have configured this is the most common way of setting up the service certificates and that this issue will affect any web host using this method.

So my questions are...

1. Is there a way to specifiy the SSL hostname somewhere, so that the customers can be presented with the correct info in cpanel?
2. If we are not doing this correctly (using a wildcard cert), what other way is recommended? I don't think it is practical to purchase an individual SSL cert for each server.

I can see this turning into a feature request :-(

Thanks for your time.

 

[Infopro]

On the Mail Client Configuration page, under the SSL section is shows you mail.domain.com instead of host.server.com, is that correct?

 

[4u123]

On the Mail Client Configuration page, under the SSL section is shows you mail.domain.com instead of host.server.com, is that correct?

If the server's hostname is server.domain.com and the service certificate is *.domain.com the Mail Client Configuration page shows mail.domain.com. I don't know why it defaults to this. I think it must try to work out what hostname is covered by the certificate and if it cant find one (as it is a wildcard) it automatically prefixes with "mail.".

It stands to reason if the server's hostname is blah.domain.com and the certificate is *.domain.com that the Mail Client Configuration page should show the server's hostname as the SSL host to connect to - but I also think that we should be able to specify this somewhere - perhaps in tweak settings or in the service certificate area.

 

[alinford]

I am having this same issue, except my config page is showing www.domain.com instead of hostname.domain.com.

Is there really no way to manually update this? It also breaks the webdisk ssl option.

 

[4u123]

I am having this same issue, except my config page is showing www.domain.com instead of hostname.domain.com.

Are you using a wildcard cert too?

 

[intelliracks]

We too are seeing this issue on servers that are using a wildcard certificate.

 

[LDHosting]

It looks as though there is already a feature request for this and the person that opened the request does suggest a workaround. Might be worth a try and adding your support to the request.

Fix incorrect calculation of secure mail server hostname | cPanel Feature Requests

 

[nibb]

I also have the same issue. This is giving me a lot of troubles because users have problems configuring their mail clients.

I have a wildcard SSL and the incoming/outgoing server shows mail.domain.com, this happens on all cPanel servers.

Which is wrong as it should show "servername.domain.com" which is the correct name server and the setting that works for SSL to avoid certicates problems.

This is a bug and needs to be rectified.

 

[4u123]

I got a feature requests notification today that this fix has been released.

 

[nibb]

I got a feature requests notification today that this fix has been released.

Which version? This issue is here for months as far as I can see.

 

[4u123]

The email just read...

Hello, The status of the feature request: you were watching has changed to Released.

In the feature request itself, Nick said...

This has been re-written with the addition of SNI and proper wildcard support in 11.38.

 

[4u123]

Unfortunately, at first glance it would appear that this has been implemented incorrectly. All my servers are now on 11.38 and this behaviour has changed.

Previous issue: the SSL info was displaying mail.SSLCERTDOMAIN - so if the wildcard cert was for *.allmyservers.com the info would incorrectly display mail.allmyservers.com

The new implementation of this has simply set the SSL info to be the same as the non SSL info. So it is just now set to mail.mydomain.com where "mydomain.com" is the customers domain name. Again this is incorrect.

The correct implementation of this would be to set the info to display as the server's hostname, or to provide a configuration option to change this.

I've looked in "Tweak Settings" for a new option where the SSL mail hostname can be set - but I can't find any such setting.

Did I miss something?

 

[cPanelMichael]

The updated behavior is documented at:

Email Client Configuration

Notes about email client configuration

If you have an installed non-wildcard SSL certificate which matches your hostname, the name of your server will match your hostname. For example, if your hostname is Example Domain and your SSL certificate matches your hostname, your server would be named Example Domain.

If your SSL certificate is a wildcard SSL, the name of your server will also match any subdomains which correspond to the hostname's domain. For example, an SSL certificate for *.example.com would be valid for my.example.com and foo.example.com.

If you do not have an SSL certificate installed, the server will use the mail subdomain of your domain. For example, mail.example.com. Also, the server will be named mail.example.com if your certificate does not match your hostname.

You may also be interested in the following feature request:

SSL Certificates Per Domain On Services

Thank you.

 

[4u123]

If your SSL certificate is a wildcard SSL, the name of your server will also match any subdomains which correspond to the hostname's domain. For example, an SSL certificate for *.example.com would be valid for my.example.com and foo.example.com.

This does not explain the logic, or the outcome of what is displayed for the SSL details in cpanel when the customer clicks "More > Configure Email Client" from the Email Accounts section.

On all my servers I have a wildcard SSL certificate installed for all the service certificates. *.myserverdomain.com

An example server hostname would be server01.myserverdomain.com

In the customer's cpanel - the "Configure Email Client" shows the following info for the SSL hostname...

WHM 11.36

mail.myserverdomain.com (old behaviour - incorrect)

WHM 11.38

mail.customerdomain.com (new behaviour - incorrect)

Both of these are incorrect. To connect via SSL using the service certificate on this server - the customer must use server01.myserverdomain.com which is the server's hostname and is covered by the wildcard certificate. I've checked three servers in sequence and this is not being displayed on any of them. Instead, the customers domain name is prefixed with mail in the same way as the non SSL details.

Your documentation above does not clearly indicate what SSL hostname will be displayed in the event of a wildcard SSL being used. In fact it makes no sense at all.

I need to quote it again...

If your SSL certificate is a wildcard SSL, the name of your server will also match any subdomains which correspond to the hostname's domain.

I'm sorry but that is complete nonsense.

Then...

For example, an SSL certificate for *.example.com would be valid for my.example.com and foo.example.com.

You are trying to explain how a wilcard certificate works there. Why? Any web host who installs a wildcard certificate already knows what it is for. But more to the point, none of that explains why the cpanel mail configuration details display mail.customerdomain.com for the SSL details and for the non SSL details. Can you explain to me in what way does the above explain this behaviour? To me, it simply explains pretty badly how an SSL certificate works.

So - not only is the new behaviour of this incorrect, your documentation does not explain the logic behind it at all.

Can you please clarify exactly what should be displayed in the customer's cpanel "Configure Email Client" details for SSL under the following circumstances..

1. The server is using a wildcard SSL certificate named *.myserverdomain.com for all services, as set in the "Service Certificates" section of WHM.

and

2. The server's hostname is server01.myserverdomain.com

Thank you.

 

[4u123]

I have just manually checked the first ten of my servers. I logged into cpanel as a random customer and viewed the "Configure Email Client" details.

Out of the ten servers checked, two of them correctly display the server's hostname in the SSL details. The other eight simply display the customer's domain with a mail prefix.

I understand that prior to 11.38, the SSL hostname was taken from the following files...

/var/cpanel/ssl/dovecot-CN
/var/cpanel/ssl/exim-CN

Where a wildcard cert is used, these files both currently contain the certificate name - i.e

*.myserverdomain.com

This is the same for the eight servers that do not display the details correctly and for the two that do. So I can only make the assumption that the displayed hostname is now determined by a different process.

I can confirm that replacing the certificate name with the server's hostname in these files does not have any effect on the displayed info in cpanel.

 

[4u123]

Support ticket number 4231465

 

[cPanelMichael]

Hello

The result of the ticket was that this particular issue stemmed from an invalid hostname used on the server. The hostname contained capital letters, which are not supported. Updating the hostname to all lowercase letters via "WHM Home » Networking Setup » Change Hostname" resolved this issue.

Thank you.

 

[4u123]

Hello

The result of the ticket was that this particular issue stemmed from an invalid hostname used on the server. The hostname contained capital letters, which are not supported. Updating the hostname to all lowercase letters via "WHM Home » Networking Setup » Change Hostname" resolved this issue.

Thank you.

Hi Michael,

A hostname with uppercase letters is not strictly "invalid" as you put it. The issue here is that cpanel does not correctly support hostnames with uppercase letters for this particular function.

 

[cPanelMichael]

A hostname with uppercase letters is not strictly "invalid" as you put it. The issue here is that cpanel does not correctly support hostnames with uppercase letters for this particular function.

Yes, that is true. For the most part, users will not encounter any problems with capital letters in their hostname. However, the use of lowercase letters is listed as a requirement for cPanel in our documentation:

cPanel Docs - Hostname

Thank you.

 

[4u123]

Yes, that is true. For the most part, users will not encounter any problems with capital letters in their hostname. However, the use of lowercase letters is listed as a requirement for cPanel in our documentation:

cPanel Docs - Hostname

Thank you.

It might well be listed as a requirement for cPanel now - but it certainly wasn't when our server hostnames were created in 2005. Now that I know your software doesn't correctly support mixed case or uppercase hostnames, I've changed them to lowercase.

Thanks.