Mail SSL SNI

[movielad]

I'm trying to understand how Mail-based SNI SSL works. I have a validated wildcard certificate installed for all cPanel services and this works very well.

However, if I try to configure Outlook for Mac (v15.6) to use SSL/TLS on port 993 to pick up email for a domain that has its own SSL certificate (connecting via the domain's bare domain as the hostname), Outlook will moan that it does not match that of the service SSL certificate.

In all cases I'm using SNI for everything - the server only has a single IP and several SSL certificates in addition to the service SSL certificate.

 

[quizknows]

I'm fairly certain SNI only works with Apache. Services like mail will use the service SSL certificate, of which there can only be one.

 

[movielad]

I'm fairly certain SNI only works with Apache. Services like mail will use the service SSL certificate, of which there can only be one.

But why would you reference this as "Mail SNI" if it was web-only? The SSL/TLS section of WHM explicitly declares SNI for both web and mail. The implication, from what I can see, is that people should be able to use their own domain name as a hostname when using TLS connections. Exim supports SNI, as does Dovecot.

It may be a client related issue more than anything else, but just curious to know if what I'm doing is correct (or not).

 

[quizknows]

Perhaps there's a new feature I'm unaware of; last I knew, supporting multiple SSLs for mail was still a feature request.

Edit: OK, I see the option you're talking about now. It does sound like it should work, perhaps you should open a ticket with cPanel to look into it as I'm fairly certain this is a very new feature.

 

[JohnMC]

Mail Clients Receive SSL Cert For Server Host Name Instead Of Account Domain

Having some SSL trouble with my VPS... I'm trying to use SSL certificates per domain (with dedicated IP and certificate installed in cPanel) but when a mail client connects to an accounts domain it receives the certificate of the server and complains it doesn't match the domain it connected to. I have found surprising little information about this matter. A thread here talks about the feature being originally implemented (here) but i don't have access to what OP says is the "Original thread" so i'm not sure if that has anything useful. I'm not super experienced with SSL in cpanel and how services aside from Apache handle ssl, but I feel like i've been through every WHM and cPanel configuration page and found nothing of importance. A few things of note:

• If I connect to the servers hostname it works as intended and the certificate validates fine.
• Might be unrelated but I successfully followed some directions here on the forum to fix an issue with the mail server not providing an smtp banner with the domain of the dedicated IP being used to connect on (here)
• I installed the domains certificate through the users cPanel successfully, the certificate validates in a browser.
• "Send mail from account’s dedicated IP address" is enabled

Hopefully i'm just missing something obvious and someone can give me some suggestions, thanks for any help.

 

[movielad]

Perhaps there's a new feature I'm unaware of; last I knew, supporting multiple SSLs for mail was still a feature request.

Edit: OK, I see the option you're talking about now. It does sound like it should work, perhaps you should open a ticket with cPanel to look into it as I'm fairly certain this is a very new feature.

Did that shortly after posting. There appears to be a bug (which should be fixed in an upcoming build) in WHM which sets incorrect permissions on the certificates which prevents the mail server from accessing them correctly. After that, works fine. You just set the hostname in your mail client to match that of the SSL certificate name and it just works.

..

Except if you're using Outlook for Mac (version 15 - latest and greatest version) which does not appear to support SNI. Apple Mail and just about everything else works with SNI except Outlook for Mac. *facepalm*

 

[JohnMC]

Wow, it looks like we might have the same issue, my post was approved this morning but i haven't got any responses yet, if you don't mind, check it out and tell me if you agree this is the same issue:

My post

The part about outlook isn't something I considered so I tried Thunderbird and I didn't get any errors (although AutoDiscover pulled the server host name and i had to change it manually ).

I checked SNI settings for the domain/certificate and everything says "Mail SNI" is enabled.

 

[quizknows]

Glad to see it's getting figured out, and even more glad this is a feature now! This could end up being a huge help for PCI scans that complain about the hostname cert used for mail not matching the cert name used for the website itself.

 

[cPanelMichael]

Did that shortly after posting. There appears to be a bug (which should be fixed in an upcoming build) in WHM which sets incorrect permissions on the certificates which prevents the mail server from accessing them correctly. After that, works fine. You just set the hostname in your mail client to match that of the SSL certificate name and it just works.

Hello

Internal case number 165945 addresses an issue where ownership and permissions on the "/var/cpanel/ssl/installed/cabundles" directory don't allow mail usergroup access. The temporary workaround until a resolution is released is to manually update the permissions on this directory to 0751 and to manually set the ownership to "root:mail":

chmod 0751 /var/cpanel/ssl/installed/cabundles
chown root.mail /var/cpanel/ssl/installed/cabundles

Having some SSL trouble with my VPS... I'm trying to use SSL certificates per domain (with dedicated IP and certificate installed in cPanel) but when a mail client connects to an accounts domain it receives the certificate of the server and complains it doesn't match the domain it connected to.

Are you using cPanel version 11.48? Did you select "Enable SNI for Mail Services" when installing the certificate? Or, if the certificate is already installed, did you browse to "WHM Home » SSL/TLS » Manage SSL Hosts", select the certificate, and utilize the "SNI for Mail Services" option?

Thank you.

 

[JohnMC]

Hello

Internal case number 165945 addresses an issue where ownership and permissions on the "/var/cpanel/ssl/installed/cabundles" directory don't allow mail usergroup access. The temporary workaround until a resolution is released is to manually update the permissions on this directory to 0751 and to manually set the ownership to "root:mail":

chmod 0751 /var/cpanel/ssl/installed/cabundles
chown root.mail /var/cpanel/ssl/installed/cabundles

Are you using cPanel version 11.48? Did you select "Enable SNI for Mail Services" when installing the certificate? Or, if the certificate is already installed, did you browse to "WHM Home » SSL/TLS » Manage SSL Hosts", select the certificate, and utilize the "SNI for Mail Services" option?

Thank you.

Thank you, this solved my issue (reminder that I am not OP). Sorry i forgot to include that information: I am on 11.48 and both SNI configurations were in place correctly.

I applied the new permission to the cabundles and it immediately resolved my issue. It seems that some mail clients like thunderbird (at least in this case) did not care that the certificate did not match the host it was connecting on and that's why it never complained, obviously Outlook did care and now that the permissions are changed, the proper certificate is issued and Outlook does not complain.

Thanks again!

 

[cPanelMichael]

A resolution for this case is now available with cPanel version 11.48.0.13:

Fixed case 165945: Ensure that cabundles are accessible by the mail user.

Thank you.

 

[kdean]

I think I've had a problem relating to the new Mail SNI feature after I upgraded to 11.48.1.2 this weekend from the last 11.46 version.

Outlook users occasionally started getting the error:

"The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect."

Users checking their email from within their gmail account started getting the error:

"SSL Security Error. Server returned error "SSL error: self signed certificate"

The issue started Monday morning, but I didn't receive a report about the problem until end of day and restarting Dovecot appeared to resolve the issue. But it started happening again Tuesday morning around the same time as Monday. Restarting Dovecot again resolved the issue (at least temporarily).

Then this thread lead me to look at SSL/TLS -> Manage SSL Hosts.

Now I may have a non-typical setup that's causing the issue due to one Self Signed certificate by here's the config.

subdomain4.hostname.com cert, shared IP - Primary website on IP Yes - Web SNI required No - this is the same cert installed for all my Services SSLs. This is the hostname

subdomain.hostname.com, shared IP - Web SNI required Yes - Self Signed - this is a private site that only I access so we just mark the cert as trusted in our browser.

4 separate dedicated SSL certs - Web SNI required No

All email users connect via subdomain4.hostname.com using SSL. After updating to 11.48, all of the above certs defaulted to Mail SNI Enabled Yes which I'm thinking is the root of my issue. I'm not sure why it was decided to default Mail SNI to on since it was a new feature, but anyway.... I'm thinking that sometimes when people were connecting to their email instead of seeing the subdomain4.hostname.com cert for subdomain4.hostname.com, they were being provided the very similarly named subdomain.hostname.com self-signed cert instead for no apparent reason. Yes that 4 is the only difference between my hostname and another subdomain I use privately.

So, I've disabled Mail SNI on all my existing certs hoping that solves my issue. Guess we'll see how the next 24 hours go. I wanted to mention all this in case their was an edge case bug at work here.

 

[kdean]

Following up on my issue. It appears that disabling the Mail SNI as I described has resolved my issue and Gmail and Outlook users have been good since yesterday.

 

[cPanelMichael]

After updating to 11.48, all of the above certs defaulted to Mail SNI Enabled Yes which I'm thinking is the root of my issue. I'm not sure why it was decided to default Mail SNI to on since it was a new feature, but anyway.... I'm thinking that sometimes when people were connecting to their email instead of seeing the subdomain4.hostname.com cert for subdomain4.hostname.com, they were being provided the very similarly named subdomain.hostname.com self-signed cert instead for no apparent reason. Yes that 4 is the only difference between my hostname and another subdomain I use privately.

Feel free to open a support ticket regarding this issue and we can verify if it's by design or a flaw in the product. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[inetbizo]

Feel free to open a support ticket regarding this issue and we can verify if it's by design or a flaw in the product. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

I'm using WHM 11.50.0 (build 29) and one of my clients was hit with a bad hostname on pop3 SSL and it was reporting the service ssl key instead of the mail SNI.

 

[cPanelMichael]

I'm using WHM 11.50.0 (build 29) and one of my clients was hit with a bad hostname on pop3 SSL and it was reporting the service ssl key instead of the mail SNI.

Could you let us know the steps you took to enable "Mail SNI" for this account?

Thank you.

 

[inetbizo]

Could you let us know the steps you took to enable "Mail SNI" for this account? Thank you.

Had to use compensating controls. The client has to change their pop3 & smtp host to their SSL hostname without the www.

We had to select compensating controls:
"The vulnerability exists; however, you have some documented mitigating control in place to compensate against the risk.
This system, as part of a shared hosting environment, uses a shared service on this port. That service is accessed using the name [ cpanel server hostname ], which conforms to the wildcard certificate cited in this finding."

 

[cPanelMichael]

I'm using WHM 11.50.0 (build 29) and one of my clients was hit with a bad hostname on pop3 SSL and it was reporting the service ssl key instead of the mail SNI.

Hello

Is a SSL certificate installed for this domain name? What OS is installed on this server?

Thank you.

 

[inetbizo]

Hello

Is a SSL certificate installed for this domain name? What OS is installed on this server?

Thank you.

• CENTOS 6.7 x86_64 standard – xxxxxx

• WHM 11.50.0 (build 30)

• Mail SNI was checked ON at the time SSL was installed.

 

[cPanelMichael]

Feel free to open a support ticket regarding this issue and we can verify if it's by design or a flaw in the product. You can post the ticket number here so we can update this thread with the outcome.

Thank you.