cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Mail SNI: support "mail." and other subdomains without requiring a wildcard

Alex @ Serversaurus shared this idea 4 years ago
Completed

Currently, if you want to use SNI for mail services on any name that is not web domain on the account (so for example, mail.example.org where an account web domain is example.org), you have to use a wildcard certificate.


Installing a certificate with a SAN of mail.example.org is not sufficient to make Exim et al to respond to an SNI request for mail.example.org. This is because the mail.example.org name does not appear in the mail SNI map.


Probably not ideal now that we have wildcard-less CAs like Let's Encrypt getting popular.


Current Workarounds

There is currently no way to persistently modify the Mail SNI map (/etc/mail_sni_map), which informs the listening services on how to negotiate SNI.


A workaround is to modify the Exim (and other service) configs to read from another database for additional SNI names. This is potentially forwards-incompatible and a pain to manage.


Proposed Solution

When installing a certificate, cPanel should read the SANs out of the certificate and install them into any relevant SNI configurations.

Best Answer
photo

In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!

Comments (5)

photo
1

This is a must for us, we have a lot of domains hosted with us and I hate that the SSL mail server clients see is the servers hostname.


Per domain SSL mail servers would be excellent.

photo
1

This is a more specific case of this feature request:

http://features.cpanel.net/responses/ssl-certificate-per-domain-on-all-services


Since the more general feature request has so many more upvotes and comments, I strongly encourage folks to throw their weight behind it instead. :)

photo
1

We just create the subdomain mail.example.org and install the ssl cert on it and it works for us.


I agree however that if a cert has a SAN for mail.example.org that cPanel could detect this and intall it automaticaly. But then what should cPanel do if mail.example.org subdomain is created ?

photo
1

Sure. I think put more simply, an ambiguity could arise if there are competing certificates for the same name.


Perhaps the winner could be the one that has the name as the primary CN (not a SAN). Or more naively, whichever the server software finds first in the certificate bundle.

photo
1

In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!

Replies have been locked on this page!