Wrong SSL certificate returned on SMTP TLS connections

[Webdew]

I have an issue where it appears that when making a secure connection to a cpanel server for SMTP the wrong SSL cert is returned stopping the mail client from sending. Incoming is OK.

Setup.

I have a WHM server as hosting.domain.com
I have a client with cpanel on clientdomain.com
I have Auto SSL enable for both domains via Lets encrypt.

I have tried with both Outlook 2010 and outlook 2007 (different machines, connections but same OS windows 10) and have the same issue.

Connection type IMAP or POP3 - both tested (same outgoing port 465).

When I use a browser and try connecting to a secure URL (obviously port 443 though) the returned certificates are trusted. For example.
https://cpanel.clientdomain.com
https://mail.clientdomain.com
https://www.clientdomain.com

When the client brought up the issue I noticed his Outlook 2007 on opening kept asking for the cert to be accepted as the name did not match even though it was configured to use mail.clientdomain.com. Accepting the cert allowed mail in, but sending timed out.

I ended up trouble shooting this down to the Subject Alternative Name on the certificate being returned with cpanel.clientdomain.com listed first - and a MS document adv that Outlook 2007 will not check the other SAN's entries beyond the first throwing that old client a red flag about the validity of the returned certificate. I then set the mail incoming and outgoing in the client to cpanel.clientdomain.com and received not further warning on first opening Outlook. However I still can't send mail.

Incoming 995, Outgoing 465 as adv by the cpanel settings.

Incoming is fine.
Outgoing then hangs and times out with 'no response form the server'

However when setting up an account on another PC using Outlook 2010 I received a certificate error on the SMPT connection in this case it is advising the returned certificate is in fact from hosting.domain.com (the WHM server name) and not the client (clientdomain.com) certificate at all. So a valid warning, and at this point I'm assuming Outlook 2007 hits the same error but is not advising of it and just timing out.

This doesn't seem right and I suspect I have a misconfiguration somewhere on the WHM server though how it only affects the outgoing connection and not the incoming has me at a loss.

Other points.

• This client started having this issue a few weeks ago (was fine before then).
• They haven't changed ISP or connections - but I have effectively tested the issue from 3 devices over 4 different network connections - so I don't think its routing.
• Last week I migrate his account from one Cpanel server to another thinking that this may help in some way (ie if it is a routing issue or forcing the certs to be re-recreated). I have also deleted and re requested the Lets Encrypt certs a few times on the new server to see it that helps.
• Oddly I'm not aware of any other users/domains on that server having any issues at all. Though this is my new server and it has very low utilisation right now. However his issue began on another server altogether that is heavily used.
• This client though has 2 domains on separate accounts, on this server, that both have the same problem.
• Since the client ISP blocks port 25, his device is a laptop and he is mobile with it so I can't rely on 25 being available so I have to and prefer use of a secure connection. Outlook 2010 advises that SSL is not supported on the new cPanel server - so I'm only trying on the TLS connection type.

Any assistance or direction appreciated.

 

[cPanelMichael]

Hello,

When configuring the mail server name for outgoing connections in Outlook for the affected user, do you experience the same issue if you use the server's hostname as the mail server name?

Thank you.

 

[axeblokie]

Sorry to resurrect an old post. Did this ever get resolved?
I have a client with the same issue with the servers host SSL being returned instead of the domains SSL.

For example, he connects to mail.clientdomain.co.uk and gets client.cpanelhostdomain.co.uk with certificate warnings that the target principal name is incorrect.
Trying by IP address or the cPanel hostname works, but he wants his clients to use mail.clientdomain.co.uk. It also happens when connecting to FTP via Filezilla.

 

[cPRex]

@axeblokie - do you see an entry in the Apache configuration for mail.domain.co.uk for that user? If so, I would expect the SSL to be installed on that domain properly.

 

[axeblokie]

Hi CPRex.

Apologies for the delay.

I see this in the httpd.conf for the domain in question;

<VirtualHost 192.168.200.1:80>
ServerName domain.co.uk
ServerAlias mail.domain.co.uk www.domain.co.uk
DocumentRoot /home/domain/public_html
ServerAdmin [email protected]
UseCanonicalName Off

## User username # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
<IfModule !mod_passenger.c>
UserDir disabled
UserDir enabled username
</IfModule>
</IfModule>
</IfModule>
</IfModule>

# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# mod_include - Apache HTTP Server Version 2.4
<IfModule include_module>
<Directory "/home/domain/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>



<IfModule suphp_module>
suPHP_UserGroup username username
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup username username
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid username username
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# apache2-mpm-itk
AssignUserID username username
</IfModule>
<IfModule mod_passenger.c>
PassengerUser username
PassengerGroup username
</IfModule>

<IfModule alias_module>
ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/
</IfModule>


# Global DCV Rewrite Exclude
<IfModule rewrite_module>
RewriteOptions Inherit
</IfModule>



# To customize this VirtualHost use an include file at the following location
# Include "/etc/apache2/conf.d/userdata/std/2_4/username/domain.co.uk/*.conf"
</VirtualHost>

*The username and domain are the same, I just changed them in the above for privacy

I've replicated the fault for the customer on my machines, except when using Thunderbird, the client however is insisting on using Outlook.

 

[cPRex]

Can you check the domain.com:443 vhost instead? That would be the secured vhost with the SSL certificate details.

 

[axeblokie]

Now I feel like even more of a noob for not spotting that.
Here's the 443 vhost entry for that domain.

<VirtualHost 192.168.200.1:443>
ServerName domain.co.uk
ServerAlias mail.domain.co.uk www.domain.co.uk webmail.domain.co.uk cpcontacts.domain.co.uk cpanel.domain.co.uk cpcalendars.domain.co.uk autodiscover.domain.co.uk webdisk.domain.co.uk
DocumentRoot /home/domain/public_html
ServerAdmin [email protected]
UseCanonicalName Off

## User domain # Needed for Cpanel::ApacheConf
<IfModule userdir_module>
<IfModule !mpm_itk.c>
<IfModule !ruid2_module>
<IfModule !mod_passenger.c>
UserDir disabled
UserDir enabled domain
</IfModule>
</IfModule>
</IfModule>
</IfModule>

# Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4.
# To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in
# the user's .htaccess file. For more information, please read:
# mod_include - Apache HTTP Server Version 2.4
<IfModule mod_include.c>
<Directory "/home/domain/public_html">
SSILegacyExprParser On
</Directory>
</IfModule>


<Proxymatch ^https?://127\.0\.0\.12082|2083|2077|2078|2079|2080|2086|2087|2095|2096)/>
<IfModule security2_module>
SecRuleEngine Off
</IfModule>
<IfModule security3_module>
modsecurity_rules 'SecRuleEngine Off'
</IfModule>
</Proxymatch>

<IfModule mod_suphp.c>
suPHP_UserGroup domain domain
</IfModule>
<IfModule suexec_module>
<IfModule !mod_ruid2.c>
SuexecUserGroup domain domain
</IfModule>
</IfModule>
<IfModule ruid2_module>
RMode config
RUidGid domain domain
</IfModule>
<IfModule mpm_itk.c>
# For more information on MPM ITK, please read:
# apache2-mpm-itk
AssignUserID domain domain
</IfModule>
<IfModule mod_passenger.c>
PassengerUser domain
PassengerGroup domain
</IfModule>

<IfModule alias_module>
ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/
</IfModule>
<IfModule ssl_module>
SSLEngine on

SSLCertificateFile /var/cpanel/ssl/apache_tls/domain.co.uk/combined

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
<Directory "/home/domain/public_html/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</IfModule>




# To customize this VirtualHost use an include file at the following location
# Include "/etc/apache2/conf.d/userdata/ssl/2_4/domain/domain.co.uk/*.conf"

<IfModule headers_module>
RequestHeader set X-HTTPS 1
</IfModule>
RewriteEngine On
RewriteCond %{HTTP_HOST} =autodiscover.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =autodiscover.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^ http://127.0.0.1/cgi-sys/autodiscover.cgi [P]
RewriteCond %{HTTP_HOST} =cpanel.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =cpanel.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^/(.*) /___proxy_subdomain_cpanel/$1 [PT]
ProxyPass "/___proxy_subdomain_cpanel" "http://127.0.0.1:2082" max=1 retry=0
RewriteCond %{HTTP_HOST} =cpcalendars.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =cpcalendars.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^/(.*) /___proxy_subdomain_cpcalendars/$1 [PT]
ProxyPass "/___proxy_subdomain_cpcalendars" "http://127.0.0.1:2079" max=1 retry=0
RewriteCond %{HTTP_HOST} =cpcontacts.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =cpcontacts.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^/(.*) /___proxy_subdomain_cpcontacts/$1 [PT]
ProxyPass "/___proxy_subdomain_cpcontacts" "http://127.0.0.1:2079" max=1 retry=0
RewriteCond %{HTTP_HOST} =webdisk.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =webdisk.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^/(.*) /___proxy_subdomain_webdisk/$1 [PT]
ProxyPass "/___proxy_subdomain_webdisk" "http://127.0.0.1:2077" max=1 retry=0
RewriteCond %{HTTP_HOST} =webmail.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =webmail.domain.co.uk:443
RewriteCond %{HTTP:Upgrade} !websocket [nocase]

RewriteRule ^/(.*) /___proxy_subdomain_webmail/$1 [PT]
ProxyPass "/___proxy_subdomain_webmail" "http://127.0.0.1:2095" max=1 retry=0

RewriteCond %{HTTP:Upgrade} websocket [nocase]
RewriteCond %{HTTP_HOST} =cpanel.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =cpanel.domain.co.uk:443

RewriteRule ^/(.*) /___proxy_subdomain_ws_cpanel/$1 [PT]
RewriteCond %{HTTP:Upgrade} websocket [nocase]
RewriteCond %{HTTP_HOST} =webmail.domain.co.uk [OR]
RewriteCond %{HTTP_HOST} =webmail.domain.co.uk:443

RewriteRule ^/(.*) /___proxy_subdomain_ws_webmail/$1 [PT]

RewriteRule ^/Microsoft-Server-ActiveSync /___proxy_activesync/$1 [PT]
ProxyPass "/___proxy_activesync" "http://127.0.0.1:2090/Microsoft-Server-ActiveSync" max=1 retry=0
</VirtualHost>

 

[cPRex]

Great - thanks for posting that. That all looks good to me. The most likely explanation is that those versions of Outlook are just too old to work with modern certificates. We have some more details on that here:

https://support.cpanel.net/hc/en-us/articles/360052791394-Outlook-TLS-error-None-of-the-authentication-methods-supported-by-this-client-are-supported-by-your-server-

Does that sound like what you're experiencing with those versions?

 

[axeblokie]

Hi cPRex.

The Outlook version I tested on my system is Outlook 365, version 2205 build 16.0.15225.20172 (re-testing a moment ago to give you the exact error message it worked for me, so I've asked the client to confirm if they still have the issue and confirm their version of Outlook)
The error message was rather different to the post you linked, it was complaining that the target principle domain on the certificate did not match the domain I was connecting to. Connecting to "mail.domain.co.uk" was loading the certificate for "cpanelhost.hosting.zen.co.uk" instead.
We'll put this on the backburner until he comes back to me

 

[cPRex]

Let me know what he says!

 

[axeblokie]

Hi cPRex,

The customer has come back to me, he is using Outlook 365 version 2205 build 15225.20204 and he is still receiving the error message sadly.

Clicking view certificate gives the cPanel host certificate rather than his domains certificate.

 

[cPRex]

At this point it would be best to submit a ticket to our team, since there isn't any obvious misconfiguration that I'm seeing from the details you've provided. Once you do that, if you could please post the ticket number here I can follow along on my end.

 

[axeblokie]

Hi cPRex.

Case 94457908 has been raised Thanks for your help on this so far.

 

[cPRex]

Thanks for that - I'm following along with that ticket now on my end also!

 

[axeblokie]

So it turns out the server was not the issue.
Despite the end user adamantly stating the SMTP settings were all correct, on numerous occasions saying they match what we suggested, once we got access to the settings on his machine, they were not. User error!

 

[cPRex]

It definitely wouldn't be the first time that's the case!