Author Topic: TLS encryption for each domains hosted with CWP  (Read 14645 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
TLS encryption for each domains hosted with CWP
« on: May 10, 2018, 06:20:32 AM »
I want to setup IMAP/POP3 access for incoming mail server on my CWP. For accessing the incoming mail server, I will need either POP3 or IMAP access with TLS encryption which is mandatory for most of the email clients.
My main host name is hosting.domain.com and that has the default host certificate.
I have created the domain example.com and created email account for the same as user@example.com. Here, example.com has its own SSL certificate.
When I add the same in mail client (Gmail on Android), I have entered incoming mail server as example.com and selected all the available options for security (like SSL/TLS, SSL/TLS (Accept all certificates), STARTTLS, STARTTLS (Accept all certificates)). But, the server is rendering only the main host name certificate (hosting.domain.com) instead of the mail address's domain certificate.
What can I do to host multiple domains with email accounts secured by TLS for each domains? What is the workaround?
(Note: Previously, I had Vesta-CP and I had replaced the main domain certificate with required main domain certificate and used the same as incoming & outgoing mail server for all the domains. But, it is not the proper way to do so. I can configure the windows mail clients like MS Outlook. But, in android device, I am getting the above said issues).

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #1 on: May 10, 2018, 11:43:42 AM »
You need to use hostname as mail servers to use SSL connection

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #2 on: May 11, 2018, 02:44:41 AM »
I have tried. But Gmail app is still saying that connection is not secure and it won't proceed to connect incoming mail server. It is showing proper SSL hostname (hosting.domain.com). I gad setup Letsencrypt SSL for all the domaima in the server uaing Auto SSL.

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #3 on: May 11, 2018, 06:01:14 AM »
Can You confirm that SSL is valid for your hostname ?
https://www.digicert.com/help/

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #4 on: May 11, 2018, 10:35:03 AM »
Yes.
When I try to access, Gmail app is saying that connection is not secure & not allowing to add the mail account for sync. But, it is showing proper hostname as domain.com with Let's Encrypt certificate for the incoming mail server. If I continue with Proceed Anyway, later Gmail app will be force closed automatically while switching to that mail account.
I have the MX record to point to the same domain (@) and PTR records are also proper. I do not get any error while accessing the roundcube webmail or in the admin panel of CWP. Also, I was able to access the email with MS Outlook on my windows 10 PC properly without any error.
I have also checked the SSL details in SSL shopper and also in Check TLS. SSL Shopper is not showing any error. But, Check TLS site is showing the error as 'Certificate 1 of 1 in chain: Cert VALIDATION ERROR(S): unable to get local issuer certificate; unable to verify the first certificate
This may help: What Is An Intermediate Certificate
So email is encrypted but the recipient domain is not verified'. I have tried many things like renaming the hostname, using different MX record with different hostname etc. But, problem is not solved.

I want to host two domains in the same server with single IP address with different mail accounts for each domains with TLS/SSL encryption. I will be using the Let's Encrypt SSL for all the domains. I would like to give an option to use any email client for the email accounts for easy access.

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #5 on: September 26, 2018, 03:31:23 AM »
similar issue here. mx records checkout, delerability score good, Let's Encrypt install for server hostname, but gmail complains about not being able to establish a secure connection to pop3 over SSL (port 995)..
how can I ensure the SSL cert is properly installed for port 995 and will remain updated when Let's Encrypt renews the cert?
Thanks,
Joe

Offline
*
Re: TLS encryption for each domains hosted with CWP
« Reply #6 on: September 26, 2018, 04:01:55 AM »
following up, I checked /etc/dovecot/dovecot.conf and ran openssl s_client -connect [my server hostname]:pop3s in a terminal
and it looks like the Let's Encrypt cert is actually being used.. which is good. But still gmail complains about being unable to establish a secure connection to POP3, port 995. It has no trouble connecting securely to 465 SMTP though. The further details in the error message from google were "Server returned error: "SSL error: No path found from the leaf certificate to any root. Maybe an intermediate certificate is missing?"

So I've currently no idea how to fix that.. Any clues would be appreciated!
« Last Edit: September 26, 2018, 04:10:12 AM by joehudson »