The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail SSL SNI isn't working

Discussion in 'General Discussion' started by damonewm, Feb 19, 2016.

  1. damonewm

    damonewm Member

    Joined:
    Dec 14, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    here
    cPanel Access Level:
    Website Owner
    Code:
    openssl s_client -showcerts -connect eworksbuildsit.com:993
    Returns the global panel certificate (*.e-worksmedia.com) rather than the domain's certificate. The certificate was installed with Mail SNI enabled:

    i.imgur.com/5rc9dTU.jpg
    The host, Liquid Web, says

    I see the configurations are there, but I'm not seeing it pull the SNI cert still. I haven't been able to see it work on other servers either. If you want we can open a ticket but I'm really not sure if it works properly.
    Please advise, thanks
     
    #1 damonewm, Feb 19, 2016
    Last edited by a moderator: Mar 24, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Please test this with the "-servername" flag due to the nature of how SNI works. EX:

    Code:
    openssl s_client -connect domain.com:993 -servername domain.com
    Thank you.
     
  3. damonewm

    damonewm Member

    Joined:
    Dec 14, 2015
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    here
    cPanel Access Level:
    Website Owner
    Please try checktls.com/perl/TestReceiver.pl with address damon@example.com and let me know if it presents a valid certificate for you. You're forcing the SNI which isn't natural.

    Code:
    [025.404]        Cert Hostname DOES NOT VERIFY (example.com != *.domain.com)
    [025.405]        (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
    [025.405]        So email is encrypted but the host is not verified
    Sadly, we aren't able to "trick" PCI compliance scanners.
     
    #3 damonewm, Feb 19, 2016
    Last edited by a moderator: Mar 24, 2016
  4. WhiteDog

    WhiteDog Well-Known Member

    Joined:
    Feb 19, 2008
    Messages:
    118
    Likes Received:
    0
    Trophy Points:
    16
    I have the same problem / question.
    I'm using CentOS 7.2, cPanel 54 build 16, have a wildcard certificate for my domain and Mail SNI enabled.

    For my domain I get:
    Code:
    [026.203]        Cert VALIDATED: ok
    [026.203]        Cert Hostname DOES NOT VERIFY (domain.be != server.serverdomain.be)
    [026.203]        So email is encrypted but the host is not verified
    I was also under the impression that I can use "mail.domain.be" in e.g. Outlook with Mail SNI. Yet connecting via SSL gives me the mismatch error (which lead me to this topic).

    Any advice on how to fix or troubleshoot this further?
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You will need to post the output from the "openssl s_client -connect domain.com:993 -servername domain.com" command to your PCI compliance company to let them know their report is showing a false positive. Customers should not experience any issues, as their email clients should see the correct certificate automatically.

    Thank you.
     
  6. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    We have the same issue.

    Customer has "domain.com", but uses our host only for mail. Therefore mail.domain.com points to our server and account "domain.com" has subdomain "mail.domain.com" and SSL for "mail.domain.com" installed. But when I try:

    Code:
    openssl s_client -connect mail.domain.com:993 -servername mail.domain.com
    I still get global server's certificate. Running Centos6, latest WHM.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you verify that "Mail SNI" is enabled for this domain name in "WHM >> Manage SSL Hosts"?

    Thank you.
     
  8. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Oh yes, absolutely.. Should I open ticket instead?
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Please try adding the correct CA bundle manually to the certificate file specified for the domain in:

    /etc/mail_sni_map

    Let us know if this makes a difference (after restarting your mail services).

    Thank you.
     
  10. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Domain in /etc/mail_sni_map is set to domain.com, but customer has SSL for mail.domain.com. and tries to connect to mail.domain.com, since domain.com is hosted somewhere else. I tried copying this line and restarting exim, did not help. CA-bundle seems to be correct .
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  12. anton_latvia

    anton_latvia Well-Known Member
    PartnerNOC

    Joined:
    May 11, 2004
    Messages:
    348
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Latvia
    cPanel Access Level:
    Root Administrator
    Support Request ID is: 7500495
     
Loading...

Share This Page