Mail Client config section gives wrong info for SSL

Hi folks, I noticed today that when a customer chooses the "Configure Email Client" option in cpanel, the resulting page "clientconf.html" displays incorrect information about the SSL server hostname.

We use a basic naming convention for our servers similiar to this...

server001.domain.com
server002.domain.com

And we run a wildcard certificate for the cpanel service certificates - i.e *.domain.com

So the server's hostname is always covered by SSL for the relevent services.

Unfortunately, cpanel hasn't picked up on that and on all our servers, the info provided to the customer for them to connect via ssl is...

mail.domain.com

Which is of course completely incorrect and causes confusion for the customers. In fact, it's pretty ridiculous as it seems to suggest that a unique SSL certificate should be set up for each server individually. I'm not sure why it adds the "mail" prefix.

I am going to make the assumption that the way we have configured this is the most common way of setting up the service certificates and that this issue will affect any web host using this method.

So my questions are...

1. Is there a way to specifiy the SSL hostname somewhere, so that the customers can be presented with the correct info in cpanel?
2. If we are not doing this correctly (using a wildcard cert), what other way is recommended? I don't think it is practical to purchase an individual SSL cert for each server.

I can see this turning into a feature request :-(

Thanks for your time.

 

If the server's hostname is server.domain.com and the service certificate is *.domain.com the Mail Client Configuration page shows mail.domain.com. I don't know why it defaults to this. I think it must try to work out what hostname is covered by the certificate and if it cant find one (as it is a wildcard) it automatically prefixes with "mail.".

It stands to reason if the server's hostname is blah.domain.com and the certificate is *.domain.com that the Mail Client Configuration page should show the server's hostname as the SSL host to connect to - but I also think that we should be able to specify this somewhere - perhaps in tweak settings or in the service certificate area.

 

Are you using a wildcard cert too?

 

I got a feature requests notification today that this fix has been released.

 

The email just read...

In the feature request itself, Nick said...

 

Unfortunately, at first glance it would appear that this has been implemented incorrectly. All my servers are now on 11.38 and this behaviour has changed.

Previous issue: the SSL info was displaying mail.SSLCERTDOMAIN - so if the wildcard cert was for *.allmyservers.com the info would incorrectly display mail.allmyservers.com

The new implementation of this has simply set the SSL info to be the same as the non SSL info. So it is just now set to mail.mydomain.com where "mydomain.com" is the customers domain name. Again this is incorrect.

The correct implementation of this would be to set the info to display as the server's hostname, or to provide a configuration option to change this.

I've looked in "Tweak Settings" for a new option where the SSL mail hostname can be set - but I can't find any such setting.

Did I miss something?

 

This does not explain the logic, or the outcome of what is displayed for the SSL details in cpanel when the customer clicks "More > Configure Email Client" from the Email Accounts section.

On all my servers I have a wildcard SSL certificate installed for all the service certificates. *.myserverdomain.com

An example server hostname would be server01.myserverdomain.com

In the customer's cpanel - the "Configure Email Client" shows the following info for the SSL hostname...

WHM 11.36

mail.myserverdomain.com (old behaviour - incorrect)

WHM 11.38

mail.customerdomain.com (new behaviour - incorrect)

Both of these are incorrect. To connect via SSL using the service certificate on this server - the customer must use server01.myserverdomain.com which is the server's hostname and is covered by the wildcard certificate. I've checked three servers in sequence and this is not being displayed on any of them. Instead, the customers domain name is prefixed with mail in the same way as the non SSL details.

Your documentation above does not clearly indicate what SSL hostname will be displayed in the event of a wildcard SSL being used. In fact it makes no sense at all.

I need to quote it again...

I'm sorry but that is complete nonsense.

Then...

You are trying to explain how a wilcard certificate works there. Why? Any web host who installs a wildcard certificate already knows what it is for. But more to the point, none of that explains why the cpanel mail configuration details display mail.customerdomain.com for the SSL details and for the non SSL details. Can you explain to me in what way does the above explain this behaviour? To me, it simply explains pretty badly how an SSL certificate works.

So - not only is the new behaviour of this incorrect, your documentation does not explain the logic behind it at all.

Can you please clarify exactly what should be displayed in the customer's cpanel "Configure Email Client" details for SSL under the following circumstances..

1. The server is using a wildcard SSL certificate named *.myserverdomain.com for all services, as set in the "Service Certificates" section of WHM.

and

2. The server's hostname is server01.myserverdomain.com

Thank you.

 

I have just manually checked the first ten of my servers. I logged into cpanel as a random customer and viewed the "Configure Email Client" details.

Out of the ten servers checked, two of them correctly display the server's hostname in the SSL details. The other eight simply display the customer's domain with a mail prefix.

I understand that prior to 11.38, the SSL hostname was taken from the following files...

/var/cpanel/ssl/dovecot-CN
/var/cpanel/ssl/exim-CN

Where a wildcard cert is used, these files both currently contain the certificate name - i.e

*.myserverdomain.com

This is the same for the eight servers that do not display the details correctly and for the two that do. So I can only make the assumption that the displayed hostname is now determined by a different process.

I can confirm that replacing the certificate name with the server's hostname in these files does not have any effect on the displayed info in cpanel.

 

Support ticket number 4231465

 

Hi Michael,

A hostname with uppercase letters is not strictly "invalid" as you put it. The issue here is that cpanel does not correctly support hostnames with uppercase letters for this particular function.

 

It might well be listed as a requirement for cPanel now - but it certainly wasn't when our server hostnames were created in 2005. Now that I know your software doesn't correctly support mixed case or uppercase hostnames, I've changed them to lowercase.

Thanks.