The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mail SSL SNI

Discussion in 'Security' started by movielad, Feb 16, 2015.

  1. movielad

    movielad Well-Known Member
    PartnerNOC

    Joined:
    May 14, 2003
    Messages:
    107
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    I'm trying to understand how Mail-based SNI SSL works. I have a validated wildcard certificate installed for all cPanel services and this works very well.

    However, if I try to configure Outlook for Mac (v15.6) to use SSL/TLS on port 993 to pick up email for a domain that has its own SSL certificate (connecting via the domain's bare domain as the hostname), Outlook will moan that it does not match that of the service SSL certificate.

    In all cases I'm using SNI for everything - the server only has a single IP and several SSL certificates in addition to the service SSL certificate.
     
  2. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I'm fairly certain SNI only works with Apache. Services like mail will use the service SSL certificate, of which there can only be one.
     
  3. movielad

    movielad Well-Known Member
    PartnerNOC

    Joined:
    May 14, 2003
    Messages:
    107
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    But why would you reference this as "Mail SNI" if it was web-only? The SSL/TLS section of WHM explicitly declares SNI for both web and mail. The implication, from what I can see, is that people should be able to use their own domain name as a hostname when using TLS connections. Exim supports SNI, as does Dovecot.

    It may be a client related issue more than anything else, but just curious to know if what I'm doing is correct (or not).
     
  4. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Perhaps there's a new feature I'm unaware of; last I knew, supporting multiple SSLs for mail was still a feature request.

    Edit: OK, I see the option you're talking about now. It does sound like it should work, perhaps you should open a ticket with cPanel to look into it as I'm fairly certain this is a very new feature.
     
    #4 quizknows, Feb 17, 2015
    Last edited: Feb 17, 2015
  5. JohnMC

    JohnMC Member

    Joined:
    Feb 17, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Mail Clients Receive SSL Cert For Server Host Name Instead Of Account Domain

    Having some SSL trouble with my VPS... I'm trying to use SSL certificates per domain (with dedicated IP and certificate installed in cPanel) but when a mail client connects to an accounts domain it receives the certificate of the server and complains it doesn't match the domain it connected to. I have found surprising little information about this matter. A thread here talks about the feature being originally implemented (here) but i don't have access to what OP says is the "Original thread" so i'm not sure if that has anything useful. I'm not super experienced with SSL in cpanel and how services aside from Apache handle ssl, but I feel like i've been through every WHM and cPanel configuration page and found nothing of importance. A few things of note:

    • If I connect to the servers hostname it works as intended and the certificate validates fine.
    • Might be unrelated but I successfully followed some directions here on the forum to fix an issue with the mail server not providing an smtp banner with the domain of the dedicated IP being used to connect on (here)
    • I installed the domains certificate through the users cPanel successfully, the certificate validates in a browser.
    • "Send mail from account’s dedicated IP address" is enabled

    Hopefully i'm just missing something obvious and someone can give me some suggestions, thanks for any help.
     
  6. movielad

    movielad Well-Known Member
    PartnerNOC

    Joined:
    May 14, 2003
    Messages:
    107
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    DataCenter Provider
    Did that shortly after posting. There appears to be a bug (which should be fixed in an upcoming build) in WHM which sets incorrect permissions on the certificates which prevents the mail server from accessing them correctly. After that, works fine. You just set the hostname in your mail client to match that of the SSL certificate name and it just works.

    ..

    Except if you're using Outlook for Mac (version 15 - latest and greatest version) which does not appear to support SNI. Apple Mail and just about everything else works with SNI except Outlook for Mac. *facepalm*
     
  7. JohnMC

    JohnMC Member

    Joined:
    Feb 17, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Wow, it looks like we might have the same issue, my post was approved this morning but i haven't got any responses yet, if you don't mind, check it out and tell me if you agree this is the same issue:

    My post

    The part about outlook isn't something I considered so I tried Thunderbird and I didn't get any errors (although AutoDiscover pulled the server host name and i had to change it manually ).

    I checked SNI settings for the domain/certificate and everything says "Mail SNI" is enabled.
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Glad to see it's getting figured out, and even more glad this is a feature now! This could end up being a huge help for PCI scans that complain about the hostname cert used for mail not matching the cert name used for the website itself.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Internal case number 165945 addresses an issue where ownership and permissions on the "/var/cpanel/ssl/installed/cabundles" directory don't allow mail usergroup access. The temporary workaround until a resolution is released is to manually update the permissions on this directory to 0751 and to manually set the ownership to "root:mail":

    Code:
    chmod 0751 /var/cpanel/ssl/installed/cabundles
    chown root.mail /var/cpanel/ssl/installed/cabundles
    Are you using cPanel version 11.48? Did you select "Enable SNI for Mail Services" when installing the certificate? Or, if the certificate is already installed, did you browse to "WHM Home » SSL/TLS » Manage SSL Hosts", select the certificate, and utilize the "SNI for Mail Services" option?

    Thank you.
     
  10. JohnMC

    JohnMC Member

    Joined:
    Feb 17, 2015
    Messages:
    5
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thank you, this solved my issue (reminder that I am not OP). Sorry i forgot to include that information: I am on 11.48 and both SNI configurations were in place correctly.

    I applied the new permission to the cabundles and it immediately resolved my issue. It seems that some mail clients like thunderbird (at least in this case) did not care that the certificate did not match the host it was connecting on and that's why it never complained, obviously Outlook did care and now that the permissions are changed, the proper certificate is issued and Outlook does not complain.

    Thanks again!
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    A resolution for this case is now available with cPanel version 11.48.0.13:

    Fixed case 165945: Ensure that cabundles are accessible by the mail user.

    Thank you.
     
  12. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    I think I've had a problem relating to the new Mail SNI feature after I upgraded to 11.48.1.2 this weekend from the last 11.46 version.

    Outlook users occasionally started getting the error:

    "The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect."

    Users checking their email from within their gmail account started getting the error:

    "SSL Security Error. Server returned error "SSL error: self signed certificate"

    The issue started Monday morning, but I didn't receive a report about the problem until end of day and restarting Dovecot appeared to resolve the issue. But it started happening again Tuesday morning around the same time as Monday. Restarting Dovecot again resolved the issue (at least temporarily).

    Then this thread lead me to look at SSL/TLS -> Manage SSL Hosts.

    Now I may have a non-typical setup that's causing the issue due to one Self Signed certificate by here's the config.

    subdomain4.hostname.com cert, shared IP - Primary website on IP Yes - Web SNI required No - this is the same cert installed for all my Services SSLs. This is the hostname

    subdomain.hostname.com, shared IP - Web SNI required Yes - Self Signed - this is a private site that only I access so we just mark the cert as trusted in our browser.

    4 separate dedicated SSL certs - Web SNI required No

    All email users connect via subdomain4.hostname.com using SSL. After updating to 11.48, all of the above certs defaulted to Mail SNI Enabled Yes which I'm thinking is the root of my issue. I'm not sure why it was decided to default Mail SNI to on since it was a new feature, but anyway.... I'm thinking that sometimes when people were connecting to their email instead of seeing the subdomain4.hostname.com cert for subdomain4.hostname.com, they were being provided the very similarly named subdomain.hostname.com self-signed cert instead for no apparent reason. Yes that 4 is the only difference between my hostname and another subdomain I use privately.

    So, I've disabled Mail SNI on all my existing certs hoping that solves my issue. Guess we'll see how the next 24 hours go. I wanted to mention all this in case their was an edge case bug at work here.
     
  13. kdean

    kdean Well-Known Member

    Joined:
    Oct 19, 2012
    Messages:
    262
    Likes Received:
    12
    Trophy Points:
    18
    Location:
    Orlando, FL
    cPanel Access Level:
    Root Administrator
    Following up on my issue. It appears that disabling the Mail SNI as I described has resolved my issue and Gmail and Outlook users have been good since yesterday.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket regarding this issue and we can verify if it's by design or a flaw in the product. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  15. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm using WHM 11.50.0 (build 29) and one of my clients was hit with a bad hostname on pop3 SSL and it was reporting the service ssl key instead of the mail SNI.
     
    #15 inetbizo, Aug 2, 2015
    Last edited by a moderator: Aug 25, 2015
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you let us know the steps you took to enable "Mail SNI" for this account?

    Thank you.
     
  17. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Had to use compensating controls. The client has to change their pop3 & smtp host to their SSL hostname without the www.

    We had to select compensating controls:
    "The vulnerability exists; however, you have some documented mitigating control in place to compensate against the risk.
    This system, as part of a shared hosting environment, uses a shared service on this port. That service is accessed using the name [ cpanel server hostname ], which conforms to the wildcard certificate cited in this finding."
     
  18. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Is a SSL certificate installed for this domain name? What OS is installed on this server?

    Thank you.
     
  19. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    • CENTOS 6.7 x86_64 standard – xxxxxx
    • WHM 11.50.0 (build 30)
    • Mail SNI was checked ON at the time SSL was installed.
     
    #19 inetbizo, Sep 16, 2015
    Last edited by a moderator: Sep 16, 2015
  20. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket regarding this issue and we can verify if it's by design or a flaw in the product. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page