Wrong SSL certificate returned on SMTP TLS connections

Webdew

• June 12, 2017 07:10

I have an issue where it appears that when making a secure connection to a cpanel server for SMTP the wrong SSL cert is returned stopping the mail client from sending. Incoming is OK. Setup. I have a WHM server as hosting.domain.com I have a client with cpanel on clientdomain.com I have Auto SSL enable for both domains via Lets encrypt. I have tried with both Outlook 2010 and outlook 2007 (different machines, connections but same OS windows 10) and have the same issue. Connection type IMAP or POP3 - both tested (same outgoing port 465). When I use a browser and try connecting to a secure URL (obviously port 443 though) the returned certificates are trusted. For example.

• 

  cPanelMichael

  • June 13, 2017 18:40

  Hello, When configuring the mail server name for outgoing connections in Outlook for the affected user, do you experience the same issue if you use the server's hostname as the mail server name? Thank you.

  0
• 

  axeblokie

  • May 31, 2022 09:05

  Sorry to resurrect an old post. Did this ever get resolved? I have a client with the same issue with the servers host SSL being returned instead of the domains SSL. For example, he connects to mail.clientdomain.co.uk and gets client.cpanelhostdomain.co.uk with certificate warnings that the target principal name is incorrect. Trying by IP address or the cPanel hostname works, but he wants his clients to use mail.clientdomain.co.uk. It also happens when connecting to FTP via Filezilla.

  0
• 

  cPRex Jurassic Moderator

  • May 31, 2022 16:31

  @axeblokie - do you see an entry in the Apache configuration for mail.domain.co.uk for that user? If so, I would expect the SSL to be installed on that domain properly.

  0
• 

  axeblokie

  • June 14, 2022 10:20

  Hi CPRex. Apologies for the delay. I see this in the httpd.conf for the domain in question; ServerName domain.co.uk ServerAlias mail.domain.co.uk www.domain.co.uk DocumentRoot /home/domain/public_html ServerAdmin webmaster@domain.co.uk UseCanonicalName Off ## User username # Needed for Cpanel::ApacheConf UserDir disabled UserDir enabled username # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4. # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in # the user's .htaccess file. For more information, please read: # mod_include - Apache HTTP Server Version 2.4 SSILegacyExprParser On suPHP_UserGroup username username SuexecUserGroup username username RMode config RUidGid username username # For more information on MPM ITK, please read: # apache2-mpm-itk AssignUserID username username PassengerUser username PassengerGroup username ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/ # Global DCV Rewrite Exclude RewriteOptions Inherit # To customize this VirtualHost use an include file at the following location # Include "/etc/apache2/conf.d/userdata/std/2_4/username/domain.co.uk/*.conf" *The username and domain are the same, I just changed them in the above for privacy I've replicated the fault for the customer on my machines, except when using Thunderbird, the client however is insisting on using Outlook.

  0
• 

  cPRex Jurassic Moderator

  • June 14, 2022 13:36

  Can you check the domain.com:443 vhost instead? That would be the secured vhost with the SSL certificate details.

  0
• 

  axeblokie

  • June 14, 2022 13:41

  Now I feel like even more of a noob for not spotting that. Here's the 443 vhost entry for that domain. ServerName domain.co.uk ServerAlias mail.domain.co.uk www.domain.co.uk webmail.domain.co.uk cpcontacts.domain.co.uk cpanel.domain.co.uk cpcalendars.domain.co.uk autodiscover.domain.co.uk webdisk.domain.co.uk DocumentRoot /home/domain/public_html ServerAdmin webmaster@domain.co.uk UseCanonicalName Off ## User domain # Needed for Cpanel::ApacheConf UserDir disabled UserDir enabled domain # Enable backwards compatible Server Side Include expression parser for Apache versions >= 2.4. # To selectively use the newer Apache 2.4 expression parser, disable SSILegacyExprParser in # the user's .htaccess file. For more information, please read: # mod_include - Apache HTTP Server Version 2.4 SSILegacyExprParser On SecRuleEngine Off modsecurity_rules 'SecRuleEngine Off' suPHP_UserGroup domain domain SuexecUserGroup domain domain RMode config RUidGid domain domain # For more information on MPM ITK, please read: # apache2-mpm-itk AssignUserID domain domain PassengerUser domain PassengerGroup domain ScriptAlias /cgi-bin/ /home/domain/public_html/cgi-bin/ SSLEngine on SSLCertificateFile /var/cpanel/ssl/apache_tls/domain.co.uk/combined SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLOptions +StdEnvVars # To customize this VirtualHost use an include file at the following location # Include "/etc/apache2/conf.d/userdata/ssl/2_4/domain/domain.co.uk/*.conf" RequestHeader set X-HTTPS 1 RewriteEngine On RewriteCond %{HTTP_HOST} =autodiscover.domain.co.uk [OR] RewriteCond %{HTTP_HOST} =autodiscover.domain.co.uk:443 RewriteCond %{HTTP:Upgrade} !websocket [nocase] RewriteRule ^

  0
• 

  cPRex Jurassic Moderator

  • June 14, 2022 14:34

  Great - thanks for posting that. That all looks good to me. The most likely explanation is that those versions of Outlook are just too old to work with modern certificates. We have some more details on that here:

  0
• 

  axeblokie

  • June 14, 2022 14:59

  Hi cPRex. The Outlook version I tested on my system is Outlook 365, version 2205 build 16.0.15225.20172 (re-testing a moment ago to give you the exact error message it worked for me, so I've asked the client to confirm if they still have the issue and confirm their version of Outlook) The error message was rather different to the post you linked, it was complaining that the target principle domain on the certificate did not match the domain I was connecting to. Connecting to "mail.domain.co.uk" was loading the certificate for "cpanelhost.hosting.zen.co.uk" instead. We'll put this on the backburner until he comes back to me :)

  0
• 

  cPRex Jurassic Moderator

  • June 14, 2022 15:51

  Let me know what he says!

  0
• 

  axeblokie

  • June 17, 2022 11:42

  Hi cPRex, The customer has come back to me, he is using Outlook 365 version 2205 build 15225.20204 and he is still receiving the error message sadly. Clicking view certificate gives the cPanel host certificate rather than his domains certificate.

  0
• 

  cPRex Jurassic Moderator

  • June 17, 2022 12:37

  At this point it would be best to submit a ticket to our team, since there isn't any obvious misconfiguration that I'm seeing from the details you've provided. Once you do that, if you could please post the ticket number here I can follow along on my end.

  0
• 

  axeblokie

  • June 21, 2022 09:56

  Hi cPRex. Case 94457908 has been raised :) Thanks for your help on this so far.

  0
• 

  cPRex Jurassic Moderator

  • June 21, 2022 13:35

  Thanks for that - I'm following along with that ticket now on my end also!

  0
• 

  axeblokie

  • June 30, 2022 08:40

  So it turns out the server was not the issue. Despite the end user adamantly stating the SMTP settings were all correct, on numerous occasions saying they match what we suggested, once we got access to the settings on his machine, they were not. User error!

  0
• 

  cPRex Jurassic Moderator

  • July 06, 2022 15:46

  It definitely wouldn't be the first time that's the case!

  0

Please sign in to leave a comment.