Mail SNI not working for some domains

brixion_ricky

• December 05, 2018 04:49

Hi, I have some issues to configure my e-mail in Thunderbird since it gives a certificate issue for the IMAP hostname since it returns the server certificate instead of the domain certificate. To give you an example: [root@cloud01 etc]# openssl s_client -connect mail.example.com:993 -servername mail.example.com Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=cloud01.example.net i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=cloud01.example.net issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
It gives the certificate for the server hostname. When I change the port to SMTP 465 it works correct [root@cloud01 etc]# openssl s_client -connect mail.example.com:465 -servername mail.example.com Certificate chain 0 s:/CN=example.com i:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority 1 s:/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate subject=/CN=example.com issuer=/C=US/ST=TX/L=Houston/O=cPanel, Inc./CN=cPanel, Inc. Certification Authority
Since I run on cPanel v76 the Mail SNI should be enabled by default. The strange thing is that some other domains on the same server return the correct certificate [removed real domain] I already tried to delete the whole domain and add it again and delete the certificates in Manage SSL hosts and recreate by running AutoSSL. Nothing fixed this issue. Is this a bug? Is it something I can fix manually?

• 

  cPanelMichael

  • December 06, 2018 18:27

  Hello @brixion_ricky, This should only happen when the SSL certificate for "mail.domain.tld" isn't signed. Can you browse to WHM >> Manage AutoSSL >> Logs and review the most recent log file? Check to see if there are any errors or warnings when AutoSSL checks "mail.domain.tld" on the affected account. Thank you.

  0
• 

  LucasRolff

  • December 06, 2018 18:49

  Try run the command: /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
  There are a few cases where cPanel doesn't actually update the dovecot sni configuration, so SNI doesn't work until that's done :) One of the "famous" cases is during migrations.

  0
• 

  cPanelMichael

  • December 06, 2018 19:11

  Try run the command: /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
  There are a few cases where cPanel doesn't actually update the dovecot sni configuration, so SNI doesn't work until that's done :) One of the "famous" cases is during migrations.

  
  Hi Lucas, Good point! Internal case CPANEL-21273 is open to address an issue where the Mail SNI configuration for addon domains isn't automatically updated when the account is transferred using WHM >> Transfer Tool with the "Copy Home Directory" option unchecked. I don't see an existing forums thread open for this, so I'll link this thread to the case and provide an update here when the solution is published. Are there any additional scenarios or cases you're aware of where the SNI configuration isn't automatically updated? I'd like to ensure an internal case is open for each scenario. Thank you.

  0
• 

  brixion_ricky

  • December 11, 2018 08:22

  Hello @brixion_ricky, This should only happen when the SSL certificate for "mail.domain.tld" isn't signed. Can you browse to WHM >> Manage AutoSSL >> Logs and review the most recent log file? Check to see if there are any errors or warnings when AutoSSL checks "mail.domain.tld" on the affected account. Thank you.

  
  The SSL certificate is issued successfully. Cant find anything suspicious in the log files: 10:11:02 AM The system will attempt to renew the SSL certificate for the website (domain.server.tld: domain.tld www.domain.tld mail.domain.tld webmail.domain.tld cpanel.domain.tld webdisk.domain.tld domain.server.tld www.domain.server.tld). No CAA record added because there is no CAA record from another provider in the DNS for domain.tld. No CAA record added because there is no CAA record from another provider in the DNS for server.tld. 10:11:05 AM The cPanel Store received "domain.server.tld""s certificate order. (Order Item ID: 531795317) The system will periodically poll the cPanel Store for the issued certificate and then install it after a successful retrieval. 10:11:05 AM The system has completed the AutoSSL check for "username". The system has finished checking 1 user. 10:12:01 AM The queue contains a request for a certificate for "username""s website "domain.server.tld" (order item ID "531795317"). The system last polled for this certificate at Dec 11, 2018, 9:11:05 AM UTC. The next poll will be no earlier than Dec 11, 2018, 9:11:05 AM UTC. 10:17:01 AM Polling for "username""s new certificate for "domain.server.tld" (order item ID "531795317") " The certificate is available. The system will now attempt to install it. 10:17:02 AM SUCCESS The certificate is now installed!
  

  Try run the command: /scripts/build_mail_sni --rebuild_dovecot_sni_conf && /scripts/build_mail_sni --restartsrvs
  There are a few cases where cPanel doesn't actually update the dovecot sni configuration, so SNI doesn't work until that's done :) One of the "famous" cases is during migrations.

  
  Tried that but with no effect :(

  Hi Lucas, Good point! Internal case CPANEL-21273 is open to address an issue where the Mail SNI configuration for addon domains isn't automatically updated when the account is transferred using WHM >> Transfer Tool with the "Copy Home Directory" option unchecked. I don't see an existing forums thread open for this, so I'll link this thread to the case and provide an update here when the solution is published. Are there any additional scenarios or cases you're aware of where the SNI configuration isn't automatically updated? I'd like to ensure an internal case is open for each scenario. Thank you.

  
  I have WHM with only one single cPanel user. No domains or accounts have ever been transfered.

  0
• 

  cPanelMichael

  • December 11, 2018 15:48

  Hi @brixion_ricky, Can you open a

  0
• 

  brixion_ricky

  • December 12, 2018 10:05

  I created a support ticket. My Support Request ID is: 10947641

  0
• 

  brixion_ricky

  • December 12, 2018 11:21

  The result of the support ticket was "It looks like an email account will need to be created first for that domain, in order for the domain to be added into the Dovecot SNI configuration files." That fixed the problem for me. Why is it necessary to create an email account first? Because I'm not going to use the created e-mail account since the MX records of that domain are pointed to Google GSuite. I just want all my customers to use mail.mycompany.tld as IMAP server name so I don't have to change hundreds of DNS records when I'm ever going to switch IP or server. Or is it a bad way to do it like this?

  0
• 

  cPanelMichael

  • December 12, 2018 16:46

  Why is it necessary to create an email account first?

  
  Hello @brixion_ricky, We introduced a change designed to improve Dovecot performance back in cPanel & WHM version 60 so that domains are only added to the Dovecot mail SNI configuration after an email account is added: Fixed case CPANEL-9842: Only add TLS domains to dovecot if they have email accts.

  I'm not going to use the created e-mail account since the MX records of that domain are pointed to Google GSuite.

  
  Can you provide some more information about your email plan for this domain? For instance, if email is going to be handled through Google, are you planning to have "mail.domain.tld" point to Google as well? Thank you.

  0
• 

  LucasRolff

  • December 13, 2018 14:14

  Hi Lucas, Good point! Internal case CPANEL-21273 is open to address an issue where the Mail SNI configuration for addon domains isn't automatically updated when the account is transferred using WHM >> Transfer Tool with the "Copy Home Directory" option unchecked. I don't see an existing forums thread open for this, so I'll link this thread to the case and provide an update here when the solution is published. Are there any additional scenarios or cases you're aware of where the SNI configuration isn't automatically updated? I'd like to ensure an internal case is open for each scenario. Thank you.

  
  I think that's the main case where I found it an issue, the above case ID was created based on my ticket 9755213 :-D

  0

Please sign in to leave a comment.