Question about configuring Mox as SMTP relay for cPanel

[edgarnavarro02]

I’m trying to use Mox as an outgoing SMTP relay server to send emails from a cPanel server. The goal is for the emails generated by cPanel to be delivered through Mox, taking advantage of its security and delivery features.

I currently have Mox running and listening on port 465 with TLS, but when I try to send mail from cPanel using Mox as a relay, the connection fails due to TLS certificate errors and unrecognized hostnames.

I’ve tried setting up a host allowlist, but I couldn’t find clear documentation on how to properly enable Mox to accept certificates for domains like mail.example.com.

Could you please guide me step by step on how to configure Mox to accept authenticated SMTP connections from cPanel and relay outbound email?

I’d really appreciate your help, and any configuration examples would be very helpful.

Thanks in advance.

[mjl-]

Hi @edgarnavarro02! I'm not familiar with how email is configured in cpanel. But if I'm understanding this correctly, cpanel is submitting email to mox on TLS port 465 with authentication, but that is failing due to TLS errors. Did you configure a public DNS hostname of mox in cpanel? And can you connect with TLS manually to that mox hostname? E.g. with openssl s_client -connect yourhostname:465 -verify_return_error. And did you use ACME for TLS certificates with mox, or are you configuring TLS keys & certs explicitly in mox.conf? TLS verification error messages and mox.conf configuration snippets will help debugging.

[edgarnavarro02]

Thank you for the response.

Indeed, cPanel is submitting emails to Mox via port 465 with authentication and TLS. The initial connection is made, but Mox rejects the request during the TLS handshake because the domain used by cPanel to send (e.g., servidorcpanel.com) does not match the public hostname configured in Mox (e.g., mail.example.com).

The goal is to use Mox as an authenticated relay, regardless of whether the authenticating domain differs from Mox’s own hostname. Authentication works, but Mox seems to block the connection because the presented hostname is not in the TLS allowlist.

I'm using automatic ACME certificates, and from the logs, it seems Mox tries to obtain a certificate for the domain presented by cPanel, but since that domain is not allowed, the handshake fails.

Is there a way to allow authenticated connections from other domains, even if they're not in the certificate allowlist? The intention is only to allow authenticated outbound email delivery from cPanel through Mox.

Thanks again for your support.

[mjl-]

The initial connection is made, but Mox rejects the request during the TLS handshake because the domain used by cPanel to send (e.g., servidorcpanel.com) does not match the public hostname configured in Mox (e.g., mail.example.com).

This sounds a bit strange. Mox doesn't validate any TLS certificates for incoming TLS connections. It's cPanel that should be doing TLS verification and aborting if mox isn't answering with a valid certificate for the configured hostname. But perhaps the TLS connection is fine and mox is rejecting the submission of the message during the SMTP protocol? mox would do that when the address in the message "From"-header of the submitted message isn't allowed (configured) for the mox account. Mox is not going to accept submissions or try to delivery messages for domains it isn't configured for. So you would have to configure the sending domain in mox, and configure the addresses used in messages (possibly with a wildcard).

I'm using automatic ACME certificates, and from the logs, it seems Mox tries to obtain a certificate for the domain presented by cPanel, but since that domain is not allowed, the handshake fails.

Can you access the mox installation at all over TLS? Either IMAP on port 993, submission on port 465, HTTPS on port 443.

Please provide some log messages of the errors, or output of openssl s_client invocations that connect to the mox TLS services. It's very time-consuming or even impossible to debug issues without.

[edgarnavarro02]

Thank you for your response.

You're right — the TLS handshake is working correctly. The issue is happening after authentication, during the SMTP protocol phase.

To clarify the use case:

I'm trying to send email through Mox as an authenticated relay, using the [email protected] account, but with a MAIL FROM envelope address like [email protected].

When I try to send such messages, Mox rejects them with the following error:
550 5.7.1 must match authenticated user (EmwzcmG6LjtXDX_WavPblg)
However, when I use an email client like Outlook (authenticating as [email protected] and sending from that same domain), the emails are delivered successfully.

So, the problem occurs only when the sender domain differs from the authenticated user's domain. Is there a way to allow authenticated users to send emails with a different envelope sender domain?

I understand that this is a security measure, but in this case, I do want to allow it for trusted, authenticated users.

Reporting-MTA: dns; server.servidorcpanel.com
X-Postfix-Queue-ID: 77D65627A69
X-Postfix-Sender: rfc822; [email protected]
Arrival-Date: Mon, 14 Apr 2025 09:30:47 -0400 (EDT)

Final-Recipient: rfc822; [email protected]
Original-Recipient: rfc822;[email protected]
Action: failed
Status: 5.7.1
Remote-MTA: dns; mail.example.com
Diagnostic-Code: smtp; 550 5.7.1 must match authenticated user (EmwzcmG6LjtXDX_WavPblg)

Thanks again!