| Posted by akust0m, 03-24-2015, 05:04 AM | | Hello,
I am wondering whether client SSL certificates work for mail as well as their website?
I understand the the shared server certificate works but will other client installed certificates work for mail in addition to their website?
I would imagine that in order for my customers SSL certificates to work with their mail, during the initial mail connection, the domain name would have to be sent as part of the handshake so that the server knows which certificate to use, much like SNI works via https.
I started thinking about this when trying to work out ways to prevent customers receiving certificate mismatch/warning in their mail programs. They could use the web servers hostname but that is undesirable especially when performing server migrations.
Your thoughts and input into this would be fantastic.
Kind regards,
Chris
|
| Posted by akust0m, 03-24-2015, 05:23 AM | | I would also like to add that I am using Plesk 12 on CentOS6 with Courier and Postfix if this matters.
|
| Posted by akust0m, 03-24-2015, 05:39 AM | | Or is the shared certificate for the servers https traffic not the default certificate that email uses?
|
| Posted by Atlanical-Mike, 03-24-2015, 05:42 AM | | Not sure how Plesk works but I would say it would, we use domain.com/roundcube and because of that we can use our ssl https://domain.com/roundcube but we don't use Plesk.
|
| Posted by akust0m, 03-24-2015, 05:44 AM | | Thank you for your reply.
I am also using Roundcube however in this case I was more talking about secure IMAP/POP/SMTP access, not HTTPS.
Or am I mixing web and mail certificates up here? Can a web hosting server only serve one certificate for mail?
I've just read this article: http://kb.sp.parallels.com/en/1062
So it looks like I have to set up a security certificate for each of these services? (POP/IMAP/SMTP)
|
| Posted by Atlanical-Mike, 03-24-2015, 05:56 AM | | As long as you have a SSL I think you can tick the ssl box I've not used it myself as I use pop3 as it is.
|
| Posted by ursa-musculus, 03-24-2015, 06:14 AM | | What control panel? What email software?
For cPanel, the answer is yes - since 11.48: https://documentation.cpanel.net/dis...nage+SSL+Hosts
|
| Posted by akust0m, 03-24-2015, 06:15 AM | | Hi James,
Plesk 12, Courier & Postfix.
|
| Posted by ursa-musculus, 03-24-2015, 06:17 AM | | Sorry - I missed that in your earlier post.
Then my reply isn't relevant to you - although it may be to others who find this thread but have a different setup.
|
| Posted by cyberhouse, 03-24-2015, 02:43 PM | | not sure about plesk but for directadmin servers we setup ssl on the main hostname of the server and tell people to use that for ssl conections in outlook.
|
| Posted by akust0m, 03-24-2015, 06:02 PM | | Hi cyberhouse,
Thank you for your reply.
Yeah this is the way we get some of our customers that have ssl conflict errors to set it up. However in future, server migrations that will alter the hostname will cause these mail setups to fail.
Has anyone had any experience in setting up some sort of reverse proxy for mail authentication? This way you could have one universal set of mail servers to log in for any web hosting server you have without ssl conflict errors.
|
| Posted by BuzyBee-Kevin, 03-24-2015, 09:20 PM | | Mail is sent from the servers host name. If your are using SSL to connect to the server then it will use the hosts SSL certificate.
A webmail SSL certificate is not installed in the same location as a POP3 or SMTP, IMAP certificate. These are installed on the host.
All mail that is sent is sent on the clients behalf via the servers host name.
|
| Posted by akust0m, 03-24-2015, 09:31 PM | | Hi Kevin,
Thank you for your reply.
I just find it strange that it hasn't been officially implemented yet so that clients personal SSL certificates can be used with their mail (like it does with their https access).
To re-iterate my main concern however I would like a universal mail server address to provide to customers so that they do not get certificate errors when setting up their mail account in Outlook etc..
Using the hostname for the mail server in the clients mail program is not good enough, as clients mail setups would break upon server migrations.
This leads to the idea regarding a reverse proxy. You could have a mail server name such as mail.example.com with a shared SSL of *.example.com. When it attempts to authenticate, it searches through a pool of login credentials for all web hosting servers you have. Has anyone set up something like this before?
|
| Posted by BuzyBee-Kevin, 03-24-2015, 09:44 PM | | I understand what you would like to do but if you want to have a reliable mail service for your customers than you need purchase an SSL certificate for your servers so that your customers will not get the SSL error.
I do not think what you are asking will be a viable solution for a reliable mail system.
Every couple of years we purchase a Wildcard certificate from Comodo. This certificate secures all our servers so that customer can use SSL to send and received from the server. Its a very reliable and a secure solution for our customers.
|
| Posted by akust0m, 03-24-2015, 09:54 PM | | Hi Kevin,
I do currently have an SSL certificate installed for my mail services. But it becomes unreliable if they get migrated to a new server as the server hostname will change and that is what they would be using as their mail server in their mail program.
Example:
Customer using server1.example.com as their mail server. The server (server1.example.com) has a certificate *.example.com.
This works great, mail works fine, no certificate errors.
Then what if you migrate them to server2.example.com? Their mail program is still referencing server1.example.com as their mail server.
How do other gets around this issue? Just send everyone a notification prior to the migration that they will need to change their mail server settings to server2.example.com?
|
| Posted by BuzyBee-Kevin, 03-24-2015, 10:48 PM | | You should not be migrating accounts within your network unless you absolutely have to. But yes you would contact the customers that you will be moving and give them a chance to change their email settings. This is something that needs to be planed out and customers informed well in advance. You will keep both accounts running till the customer is fully satisfied and their mail is working fine.
|
| Posted by BestiHost, 03-24-2015, 10:54 PM | | When you install an ssl certificate through your host this doesn't mean the certificate work on the hole website, like example.com:2082 or server.example.com ( Cpanel doesn't have an ssl certificate , you need to activate the unknown ssl through your browser )
|
| Posted by akust0m, 03-24-2015, 11:12 PM | | Hi Kevin,
What about when an existing server becomes out of date and you need to move them to something else?
Would it be better to move them to another server with the exact same hostname and then turn off the old server, so then email settings wouldn't need to be changed.
|
| Posted by straocomp, 03-24-2015, 11:42 PM | | I use interworx for my hosting. When I started to learn and ask questions, I ended up installing a server certificate that worked for all the services under interworx which included mail. I have been told though that the cert a client installs under their siteworx should work for their own mail. I also use roundcube
|
| Posted by Apolo, 03-26-2015, 11:23 PM | | Thread moved to Hosting Security and Technology from Web Hosting forum.
|
|
 Add to Favourites
 Print this Article
|
