Skip to main content

Mail SNI mail.<domain> - doesn't work

Comments

10 comments

  • cPanelMichael
    Hello :) Per our documentation, mail SNI configures the mail services to use the SSL certificate that's installed for your domain name instead of the server's default certificate. Mail SNI is not compatible with Webmail and will not function for any Webmail connection. Webmail connections use the cPanel service SSL certificate. Could you clarify the specific issue you are facing? For instance, is "Mail SNI" enabled for a domain name in "WHM >> Manage SSL Hosts", and if so, is using that certificate name in the email client resuling in a specific error message? Thank you.
    0
  • manuel.sousa
    Hello, The issue i'm facing is I have one Cpanel server with the email while i have a different server for the website. This is also the same issue as with clients for whom we host only the email. On both servers i have domain (example.org) configured. I access the website using example.org or www.example.org while i access the email using mail.example.org. I use the default cpanel entries, but the www and @ address point to a different server then the mail. When I install a wildcard certificate *.example.org on both servers, it works for HTTP/HTTPs but doesn't work for mail. The thing is, if I connect through imap using example.org as the SNI host it "works": openssl s_client -connect mail.example.org:993 -servername example.org .... Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.example.org i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root .... If i use mail.example.org it doesn't and shows the default server certificate openssl s_client -connect mail.example.org:993 -servername mail.example.org .... Certificate chain 0 s:/CN=myhost i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 .... Unlike openssl client I can't control this behavior when using an email client where it uses the servername configured. I believe the issue might be on /etc/dovecot/sni.conf where it only shows: ... local_name example.org ... I just don't know if I'm missing something to add local_name mail.example.org, pop.example.org, ... or if this is by design and somehow forbids using the other domain alias like mail.example.org when using SNI. Hope i was clear on the issue and thanks for your assistance, Manuel
    0
  • cPanelMichael
    When I install a wildcard certificate *.example.org on both servers, it works for HTTP/HTTPs but doesn't work for mail.

    Could you try installing the certificate for "mail.example.org" on the server the user connects to for email services, as opposed to installing it under the wildcard entry? Thank you.
    0
  • manuel.sousa
    Not sure I understood the idea, but when adding a certificate i get the following error: The domain "mail.example.org" is not managed on this server. You must specify an IP address to install SSL for "mail.example.org" or set up this domain on a new account, or create it as parked domain, a subdomain, or an addon domain of an existing account, and try again. The server has example.org configured. I guess that if i park mail.example.org under example.org it might allow me but that's just twisted. I'd end up having www.mail.example.org, mail.mail.example.org, ....
    0
  • cPanelMichael
    I believe that mail SNI should prevent the SSL warning message in your email client based on the information you have provided. Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.
    0
  • manuel.sousa
    Thanks, sorry for the late reply but was on holidays. I've just opened the support request with the ID: 7504783
    0
  • storminternet
    Happy to wait for the solution to this problem.
    0
  • cPanelMichael
    To update, it was determined that functionality for multi-domain SSL certificates is not fully supported with the Mail SNI feature. The workaround is to setup a separate subdomain for "mail.domain.com" and to install the SSL certificate onto that specific subdomain. Internal case CPANEL-1366 open to determine how to best address this in future versions of cPanel. I will update this thread with any updates to this case as they occur, however there are no specific time frames on a change at this time. Thank you.
    0
  • manuel.sousa
    To update, it was determined that functionality for multi-domain SSL certificates is not fully supported with the Mail SNI feature. The workaround is to setup a separate subdomain for "mail.domain.com" and to install the SSL certificate onto that specific subdomain. Internal case CPANEL-1366 open to determine how to best address this in future versions of cPanel. I will update this thread with any updates to this case as they occur, however there are no specific time frames on a change at this time. Thank you.

    Just to add that in order to install the SSL certificate onto that specific subdomain it's required that one deletes the mail entry from the DNS.
    0
  • manuel.sousa
    Another workaround until it's fixed that I ended up doing is to create a new template. The template i came up with is based on the certificate file name and as such has limited use to one "extra" name. This works well for wildcards for which i add mail.domain, and for domain that is present at the certificate SN which is added as it is. For instance in order to add mail.example.org create a certificate with SN mail.example.org and with example.org in the SAN (needed for the cpanel to install it even if not used). Domain names present in SAN are ignored at the template and this doesn't work for parked domains either which currently associate it's certificate at the primary domain. Bellow is my template in case you want to use it, just put it in /var/cpanel/templates/dovecotSNI/main.local:
    [% FOREACH domain IN mail_sni_domains.sort -%] local_name [% domain %] { ssl_cert = <[% mail_sni_domains.$domain.crt %] ssl_key = <[% mail_sni_domains.$domain.key %] [%- IF mail_sni_domains.$domain.cabundle %] ssl_ca = <[% mail_sni_domains.$domain.cabundle %] [%- END %] } [% matches = mail_sni_domains.$domain.crt.match('certs/(.*)_\w+_\w+_\d+_\w+.crt$') -%] [% certDomain = matches.0.replace('_wildcard__','mail_').replace('www_','').replace('_','.') -%] [% IF domain != certDomain -%] local_name [% certDomain %] { ssl_cert = <[% mail_sni_domains.$domain.crt %] ssl_key = <[% mail_sni_domains.$domain.key %] [%- IF mail_sni_domains.$domain.cabundle %] ssl_ca = <[% mail_sni_domains.$domain.cabundle %] [%- END %] } [% END -%] [% END -%]
    0

Please sign in to leave a comment.