/scripts/build_mail_sni does not add in the IP address

imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
Hey cPanel,

We have just launched a new server and we are using dovecot now. cPanel is currently at WHM 11.52.0 (build 15). I noticed that dovecot config includes the /etc/dovecot/sni.conf file.

It is using the local_name option within this file.
Code:
local_name example.com {
    ssl_cert = </var/cpanel/ssl/installed/certs/_example_com_9b34a_c2527_1476273600_be5d67cd107e9bf4cb1c82064709020b.crt
    ssl_key = </var/cpanel/ssl/installed/keys/9b34a_c2527_b34803a8f24b1af6d9a502648cd081ea.key
    ssl_ca = </var/cpanel/ssl/installed/cabundles/Example_Inc_a089d1ca631bbf599e1e850dd8fc997e_1678276800.cabundle
}
When I test the connection with OpenSSL on 993/995. I get the Main cPanel (WHM) SSL Certificate. It seems to be not matching the hostname within the file.

So I was digging around dovecot config and added this line before it.

Code:
local 192.168.100.1 {
    ssl_cert = </var/cpanel/ssl/installed/certs/_example_com_e30fb_71a01_1465300800_7a815d9e03c23171bd4671f4a37b1cdb.crt
    ssl_key = </var/cpanel/ssl/installed/keys/e30fb_71a01_7f4534b94f592d25f9165b9b31e27287.key
    ssl_ca = </var/cpanel/ssl/installed/cabundles/Example_Inc_a089d1ca631bbf599e1e850dd8fc997e_1678276800.cabundle
}
(Above is an example) but I used the external IP address for the dedicate host.

Then restarted dovecot, and tested OpenSSL and it returned the correct certificate.

Can you all update the /scripts/build_mail_sni code to also enter in the IP along with the hostname? Or just replace the hostname?

If you all won't, is there a Hook that I use to fire off my own script to add in these dedicated IPs and SSL paths?

Thanks,
Justin
 

imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
Hey cPanel,

I made my own fix but I had to edit your Perl Module. Can you all check this out and possible incorporate it in the next nightly build :)

Just kidding, I know you don't want it going out until you have tested it :D

Hope it gets pulled in as the local_name was not working with older openssl clients (on desktops like Windows 7). local with the dedicated IP address works great for both older and newer openssl clients.

Here is my patch for SNI.pm file.
Code:
248c248
<         my $map_file_entry = "$domain: crtfile=$domain_entry->{'crt'} keyfile=$domain_entry->{'key'}";
---
>         my $map_file_entry = "$domain: crtfile=$domain_entry->{'crt'} keyfile=$domain_entry->{'key'} ip=$domain_entry->{'ip'}";
292a293
>         'ip' => $userdata->{'ip'},
407c408
<     my ( $crt, $key, $cabundle ) = split( /\s/, $line, 3 );
---
>     my ( $crt, $key, $ip, $cabundle ) = split( /\s/, $line, 4 );
409a411
>     $ip  =~ s/ip=//;
412c414
<     return { 'crt' => $crt, 'key' => $key, 'cabundle' => $cabundle };
---
>     return { 'crt' => $crt, 'key' => $key, 'ip' => $ip, 'cabundle' => $cabundle };
Here is my main.local for the dovecotSNI file as well that is use:
Code:
[% FOREACH domain IN mail_sni_domains.sort -%]

local [% mail_sni_domains.$domain.ip %] {

    ssl_cert = <[% mail_sni_domains.$domain.crt %]

    ssl_key = <[% mail_sni_domains.$domain.key %]

    [%- IF mail_sni_domains.$domain.cabundle %]

    ssl_ca = <[% mail_sni_domains.$domain.cabundle %]

    [%- END %]

}
[% END -%]
Let me know if you all have any questions. I might update this to work with IPv6 addresses as well.
 

Attachments

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
When I test the connection with OpenSSL on 993/995. I get the Main cPanel (WHM) SSL Certificate. It seems to be not matching the hostname within the file.
Hello :)

I was unable to reproduce the issue you have reported. Could you verify if you tested with the "-servername" flag due to the nature of how SNI works? EX:

Code:
openssl s_client -connect domain.com:993 -servername domain.com
Thank you.
 

imageinabox

Member
Nov 20, 2013
21
2
3
Huntsville, AL
cPanel Access Level
Root Administrator
Twitter
Hello :)

I was unable to reproduce the issue you have reported. Could you verify if you tested with the "-servername" flag due to the nature of how SNI works? EX:

Code:
openssl s_client -connect domain.com:993 -servername domain.com
Thank you.
cPanelMichael,
Yes that makes it work for SNI but it doesn't work for Outlook 2010 (or other desktop clients). When I switched over to local and the IP it worked for both Outlook and the -servername SNI.

With that said, I believe if there was a dedicated flag for IP (IPv4/IPv6) that you could switch between. So if userdata was dedicated, then use local style:

Code:
local 192.168.100.X {
...
}
If not, use the local_name style:
Code:
local_name domain.tld {
...
}
I see the dedicated flag under IPv6 but not sure if that is for both IPv4 and IPv6.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,219
463
Ticket Number: 7392061
Here's the response from the analyst who handled this support ticket:

This circles back to the concept of SNI. As an example, this is similar to the setup you are going for:

1.1.1.1 (Shared) cats.com, dogs.com, hamsters.com (No SSLs on any)
1.1.1.2 (Dedicated): foxes.com w/SSL
1.1.1.3 (Dedicated): bears.com w/SSL
1.1.1.4 (Dedicated): birds.com
1.1.1.5 (Dedicated): sheep.com w/SSL

In this above example, you only ever have a single SSL associated with a single IP. Therefore, your custom deployment for Dovecot works for you and provides maximum mail client compatibility.

local 1.1.1.2 { foxes.com SSL }
local 1.1.1.3 { bears.com SSL }
local 1.1.1.5 { sheep.com SSL }

While this works for your situation, it is not actually SNI. It is simple 1:1 IP to SSL association that has existed for many years (Although cPanel & WHM has not supported custom SSLs for Dovecot/Exim before).

The issue is that many of our customers have setups like this, which is the setup that SNI aims to make work:

1.1.1.1 (Shared) cats.com w/SSL, dogs.com No SSL, hamsters.com w/SSL
1.1.1.2 (Dedicated): foxes.com w/SSL, Addon Domain: redfoxes.com w/SSL, Addon Domain: greyfoxes.com w/SSL
1.1.1.3 (Dedicated): bears.com w/SSL, Addon Domain: blackbears.com w/SSL
1.1.1.4 (Dedicated): birds.com
1.1.1.5 (Dedicated): sheep.com w/SSL, Subdomain: store.sheep.com w/SSL

In the above configuration (which is valid and something we do support), your method becomes unworkable.

local 1.1.1.2 { What SSL do I put here? I can only put one. foxes.com? redfoxes.com? greyfoxes.com? }

The only way this works is with the SNI functionality dovecot offers through local_name

local_name foxes.com { foxes.com SSL }
local_name redfoxes.com { redfoxes.com SSL }
local_name greyfoxes.com { greyfoxes.com SSL }

This is why it is not considered a patch/fix for Mail SNI, since it essentially removes SNI and forces one SSL per one IP.

Forcing an SSL to serve for a specific IP is more compatible with old mail clients that do not support SNI, but as mentioned you have to pick a single SSL to serve over it. For your situation, that does not seem to be a problem, but for the 'fox' example above, it would be a big problem. The server owner would have to decide which of the 3 SSL certificates to serve for non-SNI compliant mail clients.

Perhaps there could be a middle ground where each IP can have a "default" certificate served for it. We do something similar with SNI for Apache for browsers that do not support SNI. But your modifications essentially only work for a very specific situation, and would not function for anyone seeking to utilize SNI. Posting a feature request to allow for a "default" SSL per IP sounds like a great idea, though, and I would advise posting it if you have not already.
Thank you.