Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL for Mailman Admin/User Logins

Discussion in 'Security' started by brianc, May 13, 2019.

  1. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    174
    Likes Received:
    3
    Trophy Points:
    168
    Now that SSL is the standard for accessing webpages, especially login pages, when is cPanel going to allow Mailman to FULLY allow secure access? I continually have clients coming to me asking for SSL connections to their Mailman admin pages. No matter what I try, I can't seem to find a permanent fix. I have done the following:

    1. Added a redirect to direct all non-ssl traffic to /mailman/ to https. That works great.

    RewriteEngine on
    RewriteCond %{HTTPS} off [NC]
    RewriteRule ^/mailman(/.*) https://%{HTTP_HOST}/mailman$1 [L,R=permanent

    2. Added the following to the mm_cfg.py file for new lists:

    DEFAULT_URL_PATTERN = 'https://%s/mailman/'

    3. Ran the following for an older list that was unable to make changes to members' attributes on the membership management page due to the above changes:

    $prefix/bin/withlist -l -r fix_url listname -u list_web_domain

    I confirmed that fixed the issue only to see the fix revert itself less than 24 hours later. So even though web traffic is coming through via SSL, it seems certain form elements are not fully secure. This really needs to be fixed cPanel and that asap.

    Thank you,
    Brian
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @brianc

    I'm curious at what point your users are not able to view mailman over a secure connection? If you're using the hostname or a domain with a certificate to access cPanel over https the connection to mailman is also secured, at least in my case mailman.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    174
    Likes Received:
    3
    Trophy Points:
    168
    The problem is not all users particularly list members uses https so there should be some sort of force redirect in place. But the real problem is that for virtual host certificates, some of the form elements do not work properly. I confirmed this on the membership management page when you try to go make some adjustments to a list member settings including adding a real name. It works fine if https is over the hostname of the server but not over the virtual host's certificate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @brianc


    I still cannot help but feel like something else is going on - I can't replicate any issues with modifying the member names over https with the VirtualHost certificate:

    membership_management.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    174
    Likes Received:
    3
    Trophy Points:
    168
    I think this appears when you try to disable a non-ssl access to a mailman list. The issues do not show up if I allow both SSL and non-SSL access to a list's admin pages. However when I try to force SSL only access to list admin pages, these issues show up. I believe some of these form elements are using a non-SSL connection to function and when you try to force SSL only access, then something is not working right.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @brianc

    It may be that the redirect you're using is causing the issue, but if I access cPanel using the service subdomain as https://cpanel.mydomain.tld or https://mydomain.tld:2083 everything including all mailman is viewed over SSL so I'm not sure I understand the need for the redirect to begin with when "require ssl for cPanel services" is enabled even if your users attempt to connect to cPanel non-securely they'll be redirected to SSL.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. brianc

    brianc Well-Known Member

    Joined:
    May 16, 2003
    Messages:
    174
    Likes Received:
    3
    Trophy Points:
    168
    Then how come there are non-SSL resources being called when viewing the source html even though the main connection is via SSL?

    The original need for the redirect is to prevent users from using a non-SSL connection to access Mailman, this includes the list info page.

    Brian
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @brianc


    I have yet to be able to replicate this behavior on my test server (which has a live domain and SSL installed on the domain) and maybe a closer look at the server is warranted. Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice