Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Mail SNI not working for some domains

Discussion in 'E-mail Discussion' started by brixion_ricky, Dec 5, 2018.

Tags:
  1. brixion_ricky

    brixion_ricky Member

    Joined:
    Apr 26, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    I have some issues to configure my e-mail in Thunderbird since it gives a certificate issue for the IMAP hostname since it returns the server certificate instead of the domain certificate.

    To give you an example:
    Code:
    [root@cloud01 etc]# openssl s_client -connect mail.example.com:993 -servername mail.example.com
    Certificate chain
     0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=cloud01.example.net
       i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
     1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
     2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    ---
    Server certificate
    subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=cloud01.example.net
    issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
    It gives the certificate for the server hostname.

    When I change the port to SMTP 465 it works correct
    Code:
    [root@cloud01 etc]# openssl s_client -connect mail.example.com:465 -servername mail.example.com
    Certificate chain
     0 s:/CN=example.com
       i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
     1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
       i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
     2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
       i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    ---
    Server certificate
    subject=/CN=example.com
    issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
    Since I run on cPanel v76 the Mail SNI should be enabled by default. The strange thing is that some other domains on the same server return the correct certificate [removed real domain]

    I already tried to delete the whole domain and add it again and delete the certificates in Manage SSL hosts and recreate by running AutoSSL. Nothing fixed this issue.

    Is this a bug? Is it something I can fix manually?
     
    #1 brixion_ricky, Dec 5, 2018
    Last edited by a moderator: Dec 6, 2018 at 2:03 PM
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,410
    Likes Received:
    1,956
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @brixion_ricky,

    This should only happen when the SSL certificate for "mail.domain.tld" isn't signed. Can you browse to WHM >> Manage AutoSSL >> Logs and review the most recent log file? Check to see if there are any errors or warnings when AutoSSL checks "mail.domain.tld" on the affected account.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. LucasRolff

    LucasRolff Active Member

    Joined:
    May 27, 2013
    Messages:
    33
    Likes Received:
    25
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Try run the command:

    Code:
    /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
    There are a few cases where cPanel doesn't actually update the dovecot sni configuration, so SNI doesn't work until that's done :) One of the "famous" cases is during migrations.
     
    brixion_ricky and cPanelMichael like this.
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,410
    Likes Received:
    1,956
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Lucas,

    Good point!

    Internal case CPANEL-21273 is open to address an issue where the Mail SNI configuration for addon domains isn't automatically updated when the account is transferred using WHM >> Transfer Tool with the "Copy Home Directory" option unchecked. I don't see an existing forums thread open for this, so I'll link this thread to the case and provide an update here when the solution is published.

    Are there any additional scenarios or cases you're aware of where the SNI configuration isn't automatically updated? I'd like to ensure an internal case is open for each scenario.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    brixion_ricky likes this.
  5. brixion_ricky

    brixion_ricky Member

    Joined:
    Apr 26, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The SSL certificate is issued successfully. Cant find anything suspicious in the log files:
    Code:
     10:11:02 AM The system will attempt to renew the SSL certificate for the website (domain.server.tld: domain.tld www.domain.tld mail.domain.tld webmail.domain.tld cpanel.domain.tld webdisk.domain.tld domain.server.tld www.domain.server.tld).
     No CAA record added because there is no CAA record from another provider in the DNS for domain.tld.
     No CAA record added because there is no CAA record from another provider in the DNS for server.tld.
     10:11:05 AM The cPanel Store received “domain.server.tld”’s certificate order. (Order Item ID: 531795317) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval.
     10:11:05 AM The system has completed the AutoSSL check for “username”.
     The system has finished checking 1 user.
     10:12:01 AM The queue contains a request for a certificate for “username”’s website “domain.server.tld” (order item ID “531795317”). The system last polled for this certificate at Dec 11, 2018, 9:11:05 AM UTC. The next poll will be no earlier than Dec 11, 2018, 9:11:05 AM UTC.
     10:17:01 AM Polling for “username”’s new certificate for “domain.server.tld” (order item ID “531795317”) …
     The certificate is available. The system will now attempt to install it.
     10:17:02 AM SUCCESS The certificate is now installed!
    Tried that but with no effect :(

    I have WHM with only one single cPanel user. No domains or accounts have ever been transfered.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,410
    Likes Received:
    1,956
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @brixion_ricky,

    Can you open a support ticket so we can take a closer look? You can post the ticket number here once it's opened and I'll link this thread to it.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    brixion_ricky likes this.
  7. brixion_ricky

    brixion_ricky Member

    Joined:
    Apr 26, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I created a support ticket. My Support Request ID is: 10947641
     
  8. brixion_ricky

    brixion_ricky Member

    Joined:
    Apr 26, 2014
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    The result of the support ticket was "It looks like an email account will need to be created first for that domain, in order for the domain to be added into the Dovecot SNI configuration files."

    That fixed the problem for me.

    Why is it necessary to create an email account first? Because I'm not going to use the created e-mail account since the MX records of that domain are pointed to Google GSuite. I just want all my customers to use mail.mycompany.tld as IMAP server name so I don't have to change hundreds of DNS records when I'm ever going to switch IP or server.
    Or is it a bad way to do it like this?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice