The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail SNI mail.<domain> - doesn't work

Discussion in 'E-mail Discussions' started by manuel.sousa, Mar 7, 2016.

  1. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    I've already confirmed that webmail/other cpanel proxies don't work with SNI and there's currently a feature request for that.

    However, as far as i understand, mail should work.

    I've setup a wildcard certificate *.domain and SNI works on web and if i use domain at imap.

    However if we use mail.domain it doesn't work. Is this by design and should all email use domain instead of mail.domain or am i missing some step?

    We currently host some accounts for which the site isn't at the same server, and as such being able to use SNI with mail.domain would be an advantage.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Per our documentation, mail SNI configures the mail services to use the SSL certificate that's installed for your domain name instead of the server's default certificate. Mail SNI is not compatible with Webmail and will not function for any Webmail connection. Webmail connections use the cPanel service SSL certificate. Could you clarify the specific issue you are facing? For instance, is "Mail SNI" enabled for a domain name in "WHM >> Manage SSL Hosts", and if so, is using that certificate name in the email client resuling in a specific error message?

    Thank you.
     
  3. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello,

    The issue i'm facing is I have one Cpanel server with the email while i have a different server for the website. This is also the same issue as with clients for whom we host only the email.

    On both servers i have domain (example.org) configured.

    I access the website using example.org or www.example.org while i access the email using mail.example.org. I use the default cpanel entries, but the www and @ address point to a different server then the mail.

    When I install a wildcard certificate *.example.org on both servers, it works for HTTP/HTTPs but doesn't work for mail.

    The thing is, if I connect through imap using example.org as the SNI host it "works":
    openssl s_client -connect mail.example.org:993 -servername example.org
    ....
    Certificate chain
    0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.org
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
    2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    ....​

    If i use mail.example.org it doesn't and shows the default server certificate
    openssl s_client -connect mail.example.org:993 -servername mail.example.org
    ....
    Certificate chain
    0 s:/CN=myhost
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ....​

    Unlike openssl client I can't control this behavior when using an email client where it uses the servername configured.

    I believe the issue might be on /etc/dovecot/sni.conf where it only shows:
    ...
    local_name example.org
    ...​

    I just don't know if I'm missing something to add local_name mail.example.org, pop.example.org, ... or if this is by design and somehow forbids using the other domain alias like mail.example.org when using SNI.

    Hope i was clear on the issue and thanks for your assistance,
    Manuel
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you try installing the certificate for "mail.example.org" on the server the user connects to for email services, as opposed to installing it under the wildcard entry?

    Thank you.
     
  5. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Not sure I understood the idea, but when adding a certificate i get the following error:

    The domain “mail.example.org” is not managed on this server. You must specify an IP address to install SSL for “mail.example.org” or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again.
    The server has example.org configured.

    I guess that if i park mail.example.org under example.org it might allow me but that's just twisted. I'd end up having www.mail.example.org, mail.mail.example.org, ....
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I believe that mail SNI should prevent the SSL warning message in your email client based on the information you have provided. Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks, sorry for the late reply but was on holidays. I've just opened the support request with the ID: 7504783
     
  8. storminternet

    storminternet Well-Known Member

    Joined:
    Nov 2, 2011
    Messages:
    462
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Happy to wait for the solution to this problem.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, it was determined that functionality for multi-domain SSL certificates is not fully supported with the Mail SNI feature. The workaround is to setup a separate subdomain for "mail.domain.com" and to install the SSL certificate onto that specific subdomain. Internal case CPANEL-1366 open to determine how to best address this in future versions of cPanel. I will update this thread with any updates to this case as they occur, however there are no specific time frames on a change at this time.

    Thank you.
     
  10. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Just to add that in order to install the SSL certificate onto that specific subdomain it's required that one deletes the mail entry from the DNS.
     
  11. manuel.sousa

    manuel.sousa Member

    Joined:
    Jan 31, 2014
    Messages:
    11
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Another workaround until it's fixed that I ended up doing is to create a new template. The template i came up with is based on the certificate file name and as such has limited use to one "extra" name. This works well for wildcards for which i add mail.domain, and for domain that is present at the certificate SN which is added as it is.

    For instance in order to add mail.example.org create a certificate with SN mail.example.org and with example.org in the SAN (needed for the cpanel to install it even if not used).

    Domain names present in SAN are ignored at the template and this doesn't work for parked domains either which currently associate it's certificate at the primary domain.

    Bellow is my template in case you want to use it, just put it in /var/cpanel/templates/dovecotSNI/main.local:
    Code:
    [% FOREACH domain IN mail_sni_domains.sort -%]
    local_name [% domain %] {
        ssl_cert = <[% mail_sni_domains.$domain.crt %]
        ssl_key = <[% mail_sni_domains.$domain.key %]
        [%- IF mail_sni_domains.$domain.cabundle %]
        ssl_ca = <[% mail_sni_domains.$domain.cabundle %]
        [%- END %]
    }
    [% matches = mail_sni_domains.$domain.crt.match('certs/(.*)_\w+_\w+_\d+_\w+.crt$') -%]
    [% certDomain = matches.0.replace('_wildcard__','mail_').replace('www_','').replace('_','.') -%]
    [% IF domain != certDomain -%]
    local_name [% certDomain %] {
        ssl_cert = <[% mail_sni_domains.$domain.crt %]
        ssl_key = <[% mail_sni_domains.$domain.key %]
        [%- IF mail_sni_domains.$domain.cabundle %]
        ssl_ca = <[% mail_sni_domains.$domain.cabundle %]
        [%- END %]
    }
    [% END -%]
    [% END -%]
     
Loading...

Share This Page