Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mail SNI assigned certificates are not correct

Discussion in 'E-mail Discussion' started by lorio, Apr 24, 2016.

  1. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    277
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    WHM 54.0 (build 21)
    CentOS 6.7
    Dedicated IP (not relevant for Mail SNI)
    The account was transfered (WHM version on both server identical)

    Account with
    main.tld
    parkeddomain.tld

    Both used for emails. Website is using parkeddomain.tld
    Website certificate is set to parkeddomain.tld.

    For both main.tld and parkeddomain.tld a certificate (CA, not selfissued) was installed.
    Since only one can be used for Mail SNI the main.tld was removed.

    Test of SNI domains with Thunderbird
    mailserver pop3 set to : main.tld
    Certificate missmatch : The certificate of the parkeddomain.tld is delivered to Thunderbird.

    mailserver pop3 set to : parkeddomain.tld
    Certificate missmatch : The certificate of the hostserver (normal behaviour without SNI) is delivered to Thunderbird.

    Is this a known issue. Any workaround to get this fixed. Perhaps order of installing or removing the certificates again?

    Before opening a ticket or a defect bug ticket I would like to get some feedback from others.
    Thanks in advance.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    277
    Likes Received:
    9
    Trophy Points:
    168
    cPanel Access Level:
    Root Administrator
    I checked /etc/dovecot/sni.conf and found some of the issues.

    The CA bundle was not installed on transferred domains. The CA was installed on the old server before transfer was done.
    The bug here seems to be that the CA bundle is not transferred but requested by the new server.

    The SSL/CN=Secure Site Starter DV SSL CA - G2 cert isn't available on the net.
    Not sure why that cert isn't available. It isn't available on the CA site as well.
    Only the partners of the Symantec Encryption everywhere campaign provide them with the cert itself.

    There seems to be no proven way to add ca bundles to the OS (Centos 6) and get Cpanel recogonize them when installing via the GUI. The ca bundle isn't prefilled when using autofill. Which I would expect as a sign that the CA bundle is now available serverwide.

    Parked domains as web SNI and main domain as mail SNI. Is that possible? Doesn't seem to work from the GUI.
    But can a parked domain be added as local host entry in the dovecot SNI?
    If yes, what is the correct way to add entries there? What way is expected by cpanel?

    Thanks for reading.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,344
    Likes Received:
    1,852
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    This is addressed in cPanel version 58 with internal case CPANEL-5601.

    Could you let us know the specific vendor this CA Bundle was purchased from? What type of certificate is it?

    Aliases (Parked Domains) cannot have their own SSL certificates because they do not have their own Virtual Host. You would have to remove the domain names as aliases (parked domains) and add them as addon domains to allow them to have their own SSL certificates. Does the "Mail SNI" functionality work as expected if you switch the domain name from a parked domain to an addon domain name?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice