Issue with SSL with Custom Hostnames

Hello! So I just bought my account yesterday and am using my own personal test domain, so this isn’t a pressing issue but I was hoping to figure out what is going wrong before I move over my main email domains. I set up my DNS MX records for talanda.cloud and my CNAME records to route my domain mail.talanda.cloud and webmail.talanda.cloud to my appropriate mail server per the custom hostname tutorial (I’m on the arrow server). My server itself has a wildcart set from Let’s Encrypt for talanda.cloud and *.talanda.cloud so initially, the SSL settings under the Portal dashboard was set to “use server’s certificates” and I changed it to Let’s Encrypt for mail and webmail only. I then waited for it to propagate, tested the mail & webmail settings, and at this point I believe both mail and webmail worked on https (with mail just giving that apache is functioning message and webmail routing securely to roundcube)

So then I wanted to use Crossbox as my main webmail, so I followed that tutorial which changed both mail.talanda.cloud and webmail.talanda.cloud to mail.mxlogin.com in DNS. After that processed, I noticed the mail subdomain going to a page that said “That host is not allowed” on http, and https not working because it gave a BAD CERT error, where it says the cert found is only for mail.mxlogin.com. Adding an exception for that, it gives the same error on https. On webmail, the http version auto redirects to https, but the https also gives that same ssl bad cert error. Adding an exception again, the page loads but then the mail gives a loading error. After messing with that for a while I gave up and wanted to confirm the basic setup was at least still working, and I reverted mail and webmail back to the main arrow server directly. After that, webmail is back to working over https (for roundcube) but mail still doesn’t work on https (even though I understand that it’s not meant to be viewed with a browser but that confirms the cert isn’t applying), and the http version is back to saying apache is functioning rather than that host is not allowed.

For additional detail on Crossbox, I did go in and make an admin@talanda.cloud account, I went and customized the branding, it did the test on checking the mail.talanda.cloud domain validity and approved & put my custom branding live. So all of that DID work, and I do see it when I went to webmail.talanda.cloud when I did have the DNS set as such, but the lack of the mail actually loading was obviously a deal breaker.

So I can go back and forth on my DNS settings (I’m using porkbun which was a super low TTL of 300 so it’s not that bad trying to make changes) and would be happy to try to walk through and figure out what caused this and what I need to do to resolve. I wonder if it was the swap from SSL settings from use server to let’s encrypt or something that went wrong in that. I saw another thread where jarland said fixing the issue involved recreating the whole account - since this is my test personal domain I have no problem redoing it if that’s the case, but I really do need to know what went wrong with all of this so I can pull over my more important domains successfully. I think I went over all my steps but please let me know if I can clarify and provide more information anywhere.

So there’s two different paths on some of the branding. The initial mail/webmail subdomain with it’s CNAME set to the server hostname as described here is what I think of as the primary: https://mxroutehelp.com/index.php/2019/08/25/custom-webmail-pop-imap-smtp-domain/

When you do that, you point the mail subdomain to the server that hosts your email with us, and the mail subdomain is then used only for IMAP/POP/SMTP (not any web service). The webmail subdomain is then used for Roundcube.

There’s another branding option that can be done as an alternative to the webmail subdomain there, or as an additional branding for a different subdomain altogether of your choice (allowing you to have both, if you want), which is to create a branded webmail for Crossbox (being another piece of software that we license for you to use): https://mxroute.com/docs/branding-crossbox/

I would recommend keeping your “mail” subdomain on the primary server that hosts your email (whateverserver.mxrouting.net), and then either putting the webmail subdomain on Crossbox (mail.mxlogin.com) with the guide in that second link above, or keeping your webmail on the servername.mxrouting.net server and having another altogether for Crossbox.

It’s kind of a choose your own adventure for what route you want to go, but I’m unfamiliar with the concept of using two different subdomains on the same domain to point to Crossbox.

Hope that makes sense. There’s a lot to unpack because there are different combinations of how you could do this.

It does look like Crossbox supports two hostnames, one for webmail and one for SMTP/IMAP/POP. If you set the mail subdomain in the “SMTP/IMAP/POP3” host field, I wouldn’t expect that to work via http/https, but only for SMTP/IMAP/POP.

Crossbox isn’t hosted on your own server: it’s hosted on a different server (mail.mxlogin.com), and the cert it presents isn’t going to be valid for custom addresses. Roundcube actually is hosted on your own server (arrow.mxrouting.net) so webmail works with tls certs for that server.

So my advice would be to keep pointing both mail.talanda.cloud and webmail.talanda.cloud to arrow.mxrouting.net (so that you can use your own domain in your email client and for roundcube) and use mail.mxlogin.com to access crossbox.

Also, mail.<custom-domain> always gives that apache message if pointed correctly. Don’t use that for anything apart from configuring IMAP and SMTP servers.

Thank you also for your reply!

That makes sense and reminds me of some additional information I should have mentioned. I initially left mail to point to arrow and had only changed webmail point to the mxlogin domain but when I went to enter that information into the admin -> branding section of crossbox itself, it gave me an error which is why I had to go back and also change mail as well. The error was when I tried to click save to the branding changes, I guess it checked DNS and said mail didn’t have a cname for mxlogin and therefore it didn’t save.

What I just did right now was add email[dot]talanda[dot]cloud to cname mail[dot]mxlogin[dot]come and right now, of course, it says ‘that host is not allowed’ when navigating to the page because I haven’t had the branding changes with crossbox applied yet. This is the settings I have in crossbox:

Host: email[dot]talanda[dot]cloud - it says this is the hostname where end users would access webmail
SMTP/IMAP/Email: mail[dot]talanda[dot]cloud - this time this is still pointing to arrow instead of mxlogin in my dns settings

When I try to save that, it gives me an error that says "mail[dot]talanda[dot]cloud does not have a cname or A record pointing to mail.mxlogin.com or so it seems like this is an issue with Crossbox not letting me save without changing both records & amplifies my confusion.

Oh, one more question, on the mail subdomain thing - I thought that following the primary guide and adding ssl for both webmail and mail subdomains would make them both work over https, even though mail isn’t actually meant to use port 80/443. I was looking at that just to verify that the cert was being properly applied but it seems regardless it gives a bad domain cert error and that’s expected?

Oh I see! I thought that it HAD to be the same cname! I just set it to email as well and it did allow me to save. I’ll check back in a few hours to see if it works with ssl and if the branding changes are still applied.

And noted on the mail subdomain - I thought including it in the SSL details would make https work, even if it just still showed the same ‘apache is functioning correctly’ message but good to understand that regardless I can disregard that issue.

Thanks for the response.

I am referring to this thread about crossbox branding: Can I Access CrossBox from a Custom Hostname? and this official tutorial: https://mxroute.com/docs/branding-crossbox/

So you’re saying that while I can setup webmail to point to mail mxlogin I can’t have it work over ssl and that is expected? It auto directs to https so I don’t see why there would be tutorials on this and questions answered if it isn’t actually supposed to fully work? I think I am misunderstanding something.

And yes, I was trying to specify that the apache message is supposed to be there but when pointing it to mxlogin, it gave a different “that host is not allowed” message instead to show something was amiss.

Just as a resolution and FYI for anyone else who stumbles upon this question in the future - changing my subdomain to ‘email’ for both the Host & SMTP/IMAP details under Branding did work. After 5 hours of waiting to see if the SSL would update, and knowing this was not on MXRoute’s end at all, I ended up tweeting Crossbox to ask if there was something I needed to do to get the SSL to update.

They said:
“The ssl cert should work now. It seems that the service that restarts needed processes didn’t not reload the web server config.”

So I checked back & voila, it does infact now work.

Just for added clarity - I want to note that I did not need to change anything configuration-wise related to my SSL certs within the MXRoute portal - those are still set, per the official instructions, to secure the ‘mail’ and ‘webmail’ subdomains & the only thing needed to get Crossbox custom hostname working was to:

• add a new CNAME entry in DNS for another subdomain (I used ‘email’)
• wait for that to propagate - you’ll see the error “that host is not allowed” when navigating to the new subdomain when it’s directing correctly
• adjust the Admin > Branding section within the Crossbox Webmail page to include your new subdomain as both the Host & the SMTP/IMAP mail hostnames
• wait a few hours for SSL to update (& maybe bug Crossbox on Twitter )

Of course, the above process may change if Crossbox changes any of their settings & it’s wholly not on MXRoute so don’t bug jarland like I had.

Thank you!
(I moved this nested reply to an answer so it’s easier to see)

Or do, not gonna ruin my day

Thanks talandaw! This was very helpful for me, as I assumed that the SSL cert was coming from MXRoute’s Let’s Encrypt. I’m now patiently waiting for Crossbox to provide the custom subdomain with an SSL certificate.

To make this more clear to others, I think in Step 9 of the Branding Crossbox documentation, instead of stating, “You’re done! Visit the URL you picked, and enjoy!” It could instead say that Crossbox will need some time to update your subdomain with an SSL certificate, so please wait a few hours before visiting the URL you picked.

Edit: Still waiting for the cert 21 hours later. I don’t mind waiting but am wondering how long I should wait before I can safely conclude that it’s simply not going to update the SSL!

Huh, going through Jarland’s reply and earlier posts makes me realise I was wrong. Apologies, it wasn’t my intention to mislead.

That field doesn’t have to be mail. You can have both fields list the same value. So in this case you’d set the “email” subdomain in both. Now keep in mind if you’re setting DNS and then setting the branding settings quickly after, it will be several hours before Crossbox is able to get an SSL certificate signed for it.

Not a problem at all, thank you very much for trying to assist

Aye, the subdomain you use for IMAP/POP/SMTP you can expect to not work over http/https. At least, unless we’re talking about Crossbox and you’ve entered the same subdomain in both fields for their branding, then it would.