The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/scripts/build_mail_sni does not add in the IP address

Discussion in 'E-mail Discussions' started by imageinabox, Oct 19, 2015.

  1. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey cPanel,

    We have just launched a new server and we are using dovecot now. cPanel is currently at WHM 11.52.0 (build 15). I noticed that dovecot config includes the /etc/dovecot/sni.conf file.

    It is using the local_name option within this file.
    Code:
    local_name example.com {
        ssl_cert = </var/cpanel/ssl/installed/certs/_example_com_9b34a_c2527_1476273600_be5d67cd107e9bf4cb1c82064709020b.crt
        ssl_key = </var/cpanel/ssl/installed/keys/9b34a_c2527_b34803a8f24b1af6d9a502648cd081ea.key
        ssl_ca = </var/cpanel/ssl/installed/cabundles/Example_Inc_a089d1ca631bbf599e1e850dd8fc997e_1678276800.cabundle
    }
    When I test the connection with OpenSSL on 993/995. I get the Main cPanel (WHM) SSL Certificate. It seems to be not matching the hostname within the file.

    So I was digging around dovecot config and added this line before it.

    Code:
    local 192.168.100.1 {
        ssl_cert = </var/cpanel/ssl/installed/certs/_example_com_e30fb_71a01_1465300800_7a815d9e03c23171bd4671f4a37b1cdb.crt
        ssl_key = </var/cpanel/ssl/installed/keys/e30fb_71a01_7f4534b94f592d25f9165b9b31e27287.key
        ssl_ca = </var/cpanel/ssl/installed/cabundles/Example_Inc_a089d1ca631bbf599e1e850dd8fc997e_1678276800.cabundle
    }
    (Above is an example) but I used the external IP address for the dedicate host.

    Then restarted dovecot, and tested OpenSSL and it returned the correct certificate.

    Can you all update the /scripts/build_mail_sni code to also enter in the IP along with the hostname? Or just replace the hostname?

    If you all won't, is there a Hook that I use to fire off my own script to add in these dedicated IPs and SSL paths?

    Thanks,
    Justin
     
  2. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanel,

    Is there anyway I can get this fixed myself? I can write a hook but I'm about to move 25+ domains and I don't want to have to do this manually.

    Any suggestions?

    Thanks,
    Justin
     
  3. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey cPanel,

    I made my own fix but I had to edit your Perl Module. Can you all check this out and possible incorporate it in the next nightly build :)

    Just kidding, I know you don't want it going out until you have tested it :D

    Hope it gets pulled in as the local_name was not working with older openssl clients (on desktops like Windows 7). local with the dedicated IP address works great for both older and newer openssl clients.

    Here is my patch for SNI.pm file.
    Code:
    248c248
    <         my $map_file_entry = "$domain: crtfile=$domain_entry->{'crt'} keyfile=$domain_entry->{'key'}";
    ---
    >         my $map_file_entry = "$domain: crtfile=$domain_entry->{'crt'} keyfile=$domain_entry->{'key'} ip=$domain_entry->{'ip'}";
    292a293
    >         'ip' => $userdata->{'ip'},
    407c408
    <     my ( $crt, $key, $cabundle ) = split( /\s/, $line, 3 );
    ---
    >     my ( $crt, $key, $ip, $cabundle ) = split( /\s/, $line, 4 );
    409a411
    >     $ip  =~ s/ip=//;
    412c414
    <     return { 'crt' => $crt, 'key' => $key, 'cabundle' => $cabundle };
    ---
    >     return { 'crt' => $crt, 'key' => $key, 'ip' => $ip, 'cabundle' => $cabundle };
    
    
    Here is my main.local for the dovecotSNI file as well that is use:
    Code:
    [% FOREACH domain IN mail_sni_domains.sort -%]
    
    local [% mail_sni_domains.$domain.ip %] {
    
        ssl_cert = <[% mail_sni_domains.$domain.crt %]
    
        ssl_key = <[% mail_sni_domains.$domain.key %]
    
        [%- IF mail_sni_domains.$domain.cabundle %]
    
        ssl_ca = <[% mail_sni_domains.$domain.cabundle %]
    
        [%- END %]
    
    }
    [% END -%]
    
    Let me know if you all have any questions. I might update this to work with IPv6 addresses as well.
     

    Attached Files:

  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I was unable to reproduce the issue you have reported. Could you verify if you tested with the "-servername" flag due to the nature of how SNI works? EX:

    Code:
    openssl s_client -connect domain.com:993 -servername domain.com
    Thank you.
     
  5. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    cPanelMichael,
    Yes that makes it work for SNI but it doesn't work for Outlook 2010 (or other desktop clients). When I switched over to local and the IP it worked for both Outlook and the -servername SNI.

    With that said, I believe if there was a dedicated flag for IP (IPv4/IPv6) that you could switch between. So if userdata was dedicated, then use local style:

    Code:
    local 192.168.100.X {
    ...
    }
    
    If not, use the local_name style:
    Code:
    local_name domain.tld {
    ...
    }
    
    I see the dedicated flag under IPv6 but not sure if that is for both IPv4 and IPv6.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  7. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:

    Ticket Number: 7392061
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Here's the response from the analyst who handled this support ticket:

    Thank you.
     
Loading...

Share This Page