Mail SSL SNI isn't working
openssl s_client -showcerts -connect eworksbuildsit.com:993Returns the global panel certificate (*.e-worksmedia.com) rather than the domain's certificate. The certificate was installed with Mail SNI enabled: i.imgur.com/5rc9dTU.jpg The host, Liquid Web, says I see the configurations are there, but I'm not seeing it pull the SNI cert still. I haven't been able to see it work on other servers either. If you want we can open a ticket but I'm really not sure if it works properly. Please advise, thanks
-
Hello :) Please test this with the "-servername" flag due to the nature of how SNI works. EX: openssl s_client -connect domain.com:993 -servername domain.com
Thank you.0 -
Please try checktls.com/perl/TestReceiver.pl with address damon@example.com[/EMAIL] and let me know if it presents a valid certificate for you. You're forcing the SNI which isn't natural. [025.404] Cert Hostname DOES NOT VERIFY (example.com != *.domain.com) [025.405] (see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching) [025.405] So email is encrypted but the host is not verified
Sadly, we aren't able to "trick" PCI compliance scanners.0 -
I have the same problem / question. I'm using CentOS 7.2, cPanel 54 build 16, have a wildcard certificate for my domain and Mail SNI enabled. For my domain I get: [026.203] Cert VALIDATED: ok [026.203] Cert Hostname DOES NOT VERIFY (domain.be != server.serverdomain.be) [026.203] So email is encrypted but the host is not verified
I was also under the impression that I can use "mail.domain.be" in e.g. Outlook with Mail SNI. Yet connecting via SSL gives me the mismatch error (which lead me to this topic). Any advice on how to fix or troubleshoot this further?0 -
Hello :) You will need to post the output from the "openssl s_client -connect domain.com:993 -servername domain.com" command to your PCI compliance company to let them know their report is showing a false positive. Customers should not experience any issues, as their email clients should see the correct certificate automatically. Thank you. 0 -
We have the same issue. Customer has "domain.com", but uses our host only for mail. Therefore mail.domain.com points to our server and account "domain.com" has subdomain "mail.domain.com" and SSL for "mail.domain.com" installed. But when I try: openssl s_client -connect mail.domain.com:993 -servername mail.domain.com
I still get global server's certificate. Running Centos6, latest WHM.0 -
Customer has "domain.com", but uses our host only for mail. Therefore mail.domain.com points to our server and account "domain.com" has subdomain "mail.domain.com" and SSL for "mail.domain.com" installed. But when I try:
Could you verify that "Mail SNI" is enabled for this domain name in "WHM >> Manage SSL Hosts"? Thank you.0 -
Could you verify that "Mail SNI" is enabled for this domain name in "WHM >> Manage SSL Hosts"?
Oh yes, absolutely.. Should I open ticket instead?0 -
Please try adding the correct CA bundle manually to the certificate file specified for the domain in: /etc/mail_sni_map Let us know if this makes a difference (after restarting your mail services). Thank you. 0 -
Domain in /etc/mail_sni_map is set to domain.com, but customer has SSL for mail.domain.com. and tries to connect to mail.domain.com, since domain.com is hosted somewhere else. I tried copying this line and restarting exim, did not help. CA-bundle seems to be correct . 0 -
Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Support Request ID is: 7500495 0
Please sign in to leave a comment.
Comments
11 comments