AutoSSL not so good for email
I'm just noticing that not many, (if any?), email clients are recognizing the certificates installed by AutoSSL. They seem mostly fine in browsers, but the auto-configuration area of webmail is instructing users to use their domain as the incoming/outgoing server in the secure details, but email clients are complaining about the unrecognized certificates.
Has anyone found any email clients that recognize these certs? I think to remedy this I may have to once again override what is being shown in the auto-configure area, if I can even remember how I did that before (to display the server hostname for secure connections instead of suggesting users use their own domain name.)
-
Hello, Could you verify if "Mail SNI" is enabled for these domain names under "WHM >> SSL/TLS >> Manage SSL Hosts"? The current plan is to enable it automatically in cPanel version 60, however you can enable it manually in prior versions of cPanel to take advantage of the installed SSL certificate for mail services. Thank you. 0 -
Hello, Could you verify if "Mail SNI" is enabled for these domain names under "WHM >> SSL/TLS >> Manage SSL Hosts"? The current plan is to enable it automatically in cPanel version 60, however you can enable it manually in prior versions of cPanel to take advantage of the installed SSL certificate for mail services. Thank you.
Yep it's enabled. The proper certificate is being seen by the mail client, just not trusted.0 -
They seem mostly fine in browsers, but the auto-configuration area of webmail is instructing users to use their domain as the incoming/outgoing server in the secure details, but email clients are complaining about the unrecognized certificates.
Hello, Internal case CPANEL-8212 will address this issue in cPanel version 60. Here's some information about the changes stemming from this case:- Exim was not checking wildcard matches against Domain TLS; this change introduces logic that corrects that. - Mail SNI only worked for the Apache vhost"s ServerName. It now works for all domains on the vhost. - Makes Dovecot use the Domain TLS repository for keys/certificates. It will thus be consistent with Exim, cpsrvd, and cpdavd. - Makes Dovecot always use SNI. - Updates Cpanel::SSL::Domain so that requests for the "optimal" host for a TLS connection will be informed by knowledge of Domain TLS.
Thank you.0 -
Is there a solution for this? 0 -
Is there a solution for this?
Hello @asmithjr, Could you provide a brief description of the current issue you are facing? Thank you.0 -
Users need to use the server certificate. When they connect SSL to email it says the cert is invalid and is issues to the server not to their domain. When you visit the website using https:// it works fine. When you set up outlook or others it will not let you use SSL unless you type in the server name. I checked and the settings for Mail SNI show yes for all domains. 0 -
Users need to use the server certificate. When they connect SSL to email it says the cert is invalid and is issues to the server not to their domain. When you visit the website using https:// it works fine. When you set up outlook or others it will not let you use SSL unless you type in the server name. I checked and the settings for Mail SNI show yes for all domains.
This is part of the case referenced earlier, that's included as part of cPanel version 60 (Not Yet Released). An additional case in version 60, CPANEL-8418, ensures that mobileconfig files are signed with domain certificates when available. Information on the build/release process is available at:0 -
Michael, what should we do in the meantime? Unfortunately I moved to a new server and now all the email accounts are causing this problem. For now I am getting by with users by telling them to use the hostname instead of their domain name for the settings. Sometimes it works. 0 -
For now I am getting by with users by telling them to use the hostname instead of their domain name for the settings. Sometimes it works.
This should work as a temporary workaround. Version 60 is tentatively scheduled for publication to the "Current" build tier on October 5th. Update: Version 60 is tentatively scheduled for publication to the "Current" build tier on October 11th. Note that this is a tentative date and is subject to change. Thank you.0 -
This should work as a temporary workaround. Version 60 is tentatively scheduled for publication to the "Current" build tier on October 5th. Thank you.
Hi Michael, If SNI is enabled by default in version 60 it sounds like that will fix my problem but I just wanted to ask my version of the question as I believe it address the core issue where the other questions here seem to simply focus on SNI "not working". Basically, what I've observed is that when a certificate is renewed/replaced, even if mail SNI was previously enabled, it will become disabled with the new certificate. This has obviously made short term auto renewing certificates (LE, etc) not viable with mail SNI.- ]
- Is case CPANEL-8212 meant to address this issue?
- Is there a configuration file or scriptable functionality that can be used to enable mail SNI as a workaround?
- The October 5th date you mentioned has passed and i'm trying to understand the release schedule graphic provided in the cpanel blog, is October 17th now the scheduled date for release to current?
0
Please sign in to leave a comment.
Comments
11 comments