I have the need to Purchase and Install SSL certificates for Mail SSL encryption on more than one cPanel account.
Currently you can only install one globally for the entire server.
Mail SNI: support "mail." and other subdomains without requiring a wildcard
Completed
Currently, if you want to use SNI for mail services on any name that is not web domain on the account (so for example, mail.example.org where an account web domain is example.org), you have to use a wildcard certificate.
Installing a certificate with a SAN of mail.example.org is not sufficient to make Exim et al to respond to an SNI request for mail.example.org. This is because the mail.example.org name does not appear in the mail SNI map.
Probably not ideal now that we have wildcard-less CAs like Let's Encrypt getting popular.
Current Workarounds
There is currently no way to persistently modify the Mail SNI map (/etc/mail_sni_map), which informs the listening services on how to negotiate SNI.
A workaround is to modify the Exim (and other service) configs to read from another database for additional SNI names. This is potentially forwards-incompatible and a pain to manage.
Proposed Solution
When installing a certificate, cPanel should read the SANs out of the certificate and install them into any relevant SNI configurations.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!
In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!
This is a must for us, we have a lot of domains hosted with us and I hate that the SSL mail server clients see is the servers hostname.
Per domain SSL mail servers would be excellent.
This is a must for us, we have a lot of domains hosted with us and I hate that the SSL mail server clients see is the servers hostname.
Per domain SSL mail servers would be excellent.
This is a more specific case of this feature request:
http://features.cpanel.net/responses/ssl-certificate-per-domain-on-all-services
Since the more general feature request has so many more upvotes and comments, I strongly encourage folks to throw their weight behind it instead. :)
This is a more specific case of this feature request:
http://features.cpanel.net/responses/ssl-certificate-per-domain-on-all-services
Since the more general feature request has so many more upvotes and comments, I strongly encourage folks to throw their weight behind it instead. :)
We just create the subdomain mail.example.org and install the ssl cert on it and it works for us.
I agree however that if a cert has a SAN for mail.example.org that cPanel could detect this and intall it automaticaly. But then what should cPanel do if mail.example.org subdomain is created ?
We just create the subdomain mail.example.org and install the ssl cert on it and it works for us.
I agree however that if a cert has a SAN for mail.example.org that cPanel could detect this and intall it automaticaly. But then what should cPanel do if mail.example.org subdomain is created ?
Sure. I think put more simply, an ambiguity could arise if there are competing certificates for the same name.
Perhaps the winner could be the one that has the name as the primary CN (not a SAN). Or more naively, whichever the server software finds first in the certificate bundle.
Sure. I think put more simply, an ambiguity could arise if there are competing certificates for the same name.
Perhaps the winner could be the one that has the name as the primary CN (not a SAN). Or more naively, whichever the server software finds first in the certificate bundle.
In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!
In version 60 we've adjusted the way that SNI is handled, and mail. is now created by default in order to accomplish this. We've also ensured that any certificate added through AutoSSL will include mail. support, and that it is configured to work with all SNI enabled services. For that reason, I'm going to go ahead and mark this request as resolved. If you need anything else, or have any other questions, please feel free to reach out to me!
Replies have been locked on this page!