The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL access to POP3 / IMAP / SMTP

Discussion in 'E-mail Discussions' started by Silent Ninja, Oct 15, 2009.

  1. Silent Ninja

    Silent Ninja Well-Known Member

    Joined:
    Apr 18, 2006
    Messages:
    198
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Buenos Aires, Argentina
    Hello,

    One of our customers wants to buy a Dedicated IP and an SSL certificate for his site. Although he asked me if his SSL certificate will also validate his FTP / POP3 / IMAP / SMTP services (ussing his dedicated IP) or if he will still see the "this secure connection is not secure" label because of the self-signed SSL certificate that cPanel creates to those services?
     
  2. thewebhosting

    thewebhosting Well-Known Member

    Joined:
    May 9, 2008
    Messages:
    1,201
    Likes Received:
    1
    Trophy Points:
    38
    The SSL certificate is also validate for FTP/SMTP/IMAP/POP3 using dedicated IP address.
     
  3. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    In order to setup a (paid) SSL certificate for system services like FTP, SMTP (Exim), POP3/IMAP (Courier/Dovecot), and cPanel/WHM and Webmail (SSL ports 2083, 2087, 2096), it is necessary to install the new certificate for each service using the WHM control panel (e.g., via root access).

    Please note that changing the SSL certificate for system services will apply server-wide, to all users, and not just a single user with a dedicated IP address. It is also important to ensure the client connects to each service using the same domain as the SSL certificate; if using a different domain that does not match the SSL certificate the connection can still be secured but the user may experience or see a "domain mismatch" warning when connecting.

    Here is the menu path in WHM for where the service SSL certificates can be updated or reset:
    WHM: Main >> Service Configuration >> Manage Service SSL Certificates

    Related documentation:
    ManageSslcerts < AllDocumentation/WHMDocs < TWiki
     
  4. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Would it be technical possible to use a internal proxy to map IMAP/SMTP/POP3/Webmail through the SSLCert of a customer account?

    The problem of selfsigned SSL or to tell the customer not to use the own Domain to access Mail/Webmail via SSL/TLS is still a issue.
     
  5. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    The closest match is our proxy domains access feature that can be enabled via the Tweak Settings page in WHM:
    WHM: Main >> Server Configuration >> Tweak Settings >> Domains
    * Add proxy VirtualHost to httpd.conf to automatically redirect unconfigured cpanel, webmail, webdisk and whm subdomains to the correct port (requires mod_rewrite and mod_proxy)

    By default your Apache build should already have mod_proxy and mod_rewrite, but if one is missing like mod_proxy, you may use EasyApache to recompile and enable mod_proxy in the Exhaustive options list.

    Here is a command-line method to check if both mod_proxy and mod_rewrite are compiled-in to your Apache installation:
    Code:
    # /usr/local/apache/bin/httpd -l | grep -i "proxy\|rewrite"
    If mod_proxy and mod_rewrite are available, you may see output like the following (tested against Apache/httpd version 2.2):
    Code:
    mod_proxy.c
    mod_proxy_connect.c
    mod_proxy_ftp.c
    mod_proxy_http.c
    mod_proxy_scgi.c
    mod_proxy_ajp.c
    mod_proxy_balancer.c
    mod_rewrite.c

    SSL warnings about a self-signed certificate can be resolved by purchasing a SSL certificate, or, if purchasing is not desired, it may also be resolved by suggesting the user add an exception in their browser or e-mail client to manually trust the known (self-signed) SSL certificate.

    SSL warnings about a domain mismatch could be handled by trying to educate new users about which domain they should use for SSL connectivity, and or by suggesting the user add an exception in their browser or e-mail client where the known SSL certificate can be manually trusted.
     
  6. DomineauX

    DomineauX Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    414
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Pretty sure he meant to find out if there is any way to have each dedicated IP site (which has a valid SSL) use their own SSL for secure FTP/IMAP/POP3/SMTP instead of all using the server wide SSL.

    I don't know of any way to accomplish it but it would certainly be a welcome ability.
     
  7. lorio

    lorio Well-Known Member

    Joined:
    Feb 25, 2004
    Messages:
    243
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Yes, that was what I meant. Thanks for pointing that out.


    I could also think of just aggreate Customeraccounts from different server via one Webmailportal. You register one domain e.g CustomersMails.com and all customers (on different servers) access Webmail/POP/SMTP/IMAP through that Domain.

    Thanks CpanelDon, for taking the time to read and answer. And educating customers is an intersting concept. I think customer support of Cpanel can tell us nice stories too ;-)
     
  8. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    The problem with that is that the certificate would be for the domain, such as domain.com. It would be invalid for ftp.domain.com or mail.domain.com.

    You could instruct your customers to use domain.com and the smtp and pop3 server for a valid ssl domain, but that is also a bit confusing to customers who expect it to be in mail.domain.com format.

    Easiest way around it is to get an SSL for pop3/Imap under the server name, such as server.domainname.com and instruct users to use that for ftp, IMAP and POP3. I've been using this technique and it hasn't been a problem.
     
  9. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    If a customer with a dedicated IP address also got a wildcard SSL, couldn't that be set up for POP/IMAP/FTP for that domain through WHM or cPanel?

    Or, would the service SSL certs still be separate and apply only server-wide to all customers?

    Update: I didn't notice cPanelDon's post that SSL for services apply only server wide.
     
    #9 meeven, Nov 13, 2009
    Last edited: Nov 14, 2009
  10. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,557
    Likes Received:
    7
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    You're correct as noted in the update. To help clarify and reiterate, SSL certificates for services apply server-wide to all users; this includes services like FTP (Pure-FTPd or ProFTPd), POP and IMAP (Courier or Dovecot), SMTP (Exim), and cPanel/WHM/Webmail/WebDisk.
     
Loading...

Share This Page