Fixing CyberPanel Email: Why SSL Ports Don’t Work by Default (and How to Use Them)

When I first set up CyberPanel’s email stack, I expected secure ports to “just work.” After all, CyberPanel advertises support for SSL/TLS out of the box.

But then I tried connecting through Thunderbird… No SSL. Just connection failures and a whole lot of frustration.

It turns out CyberPanel does install Postfix + Dovecot with the ability to use secure ports — but the default configuration prevents many email clients from recognizing them.

If you’re self-hosting mail on CyberPanel and want secure email connectivity, this guide will hopefully save you hours of troubleshooting.

Understanding the Problem: SSL/TLS Ports Are “Enabled” but Not Fully Configured.

CyberPanel installs:

Secure SMTP ports:

  • 587 – SMTP Submission with STARTTLS
  • 465 – SMTPS (SSL/TLS)

Secure IMAP/POP ports:

  • 993 – IMAPS
  • 995 – POP3S

So what’s the problem?

Dovecot does not explicitly declare these SSL ports.

In /etc/dovecot/conf.d/10-master.conf, CyberPanel’s default config comments out the secure listeners:

inet_listener imaps {
    #port = 993
    #ssl = yes
}

When these lines are commented, Dovecot assumes defaults — but it does not announce SSL services clearly to mail clients.

Thunderbird expects servers to explicitly state:

“Hey, IMAPS is available on port 993.”

Dovecot wasn’t doing that.

So Thunderbird uses this logic:

  1. Test IMAP on port 143 (works, because CyberPanel leaves it enabled)
  2. Test IMAPS on 993 (server does not advertise service → Thunderbird marks it “unavailable”)
  3. Offer only insecure or STARTTLS options

That’s why SSL wouldn’t connect — even though the server technically supported it.

The Fix: Explicitly Enable Secure Ports.

The solution is simple: Tell Dovecot to explicitly listen on the secure ports.

Connect to your server via SSH and open:

nano /etc/dovecot/conf.d/10-master.conf

Modify the IMAP section:

service imap-login {
  inet_listener imap {
    port = 0          # disable plain IMAP (143)
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
}

Modify the POP3 section:

service pop3-login {
  inet_listener pop3 {
    port = 0          # disable plain POP3 (110)
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
}

Restart Dovecot:

systemctl restart dovecot

That’s it! Now you can successfully set up your email clients using SSL ports.

Final Result: A Fully Secure, SSL-Only CyberPanel Mail Server.

After the changes above, your server:

  • Forces encryption for IMAP/POP
  • Properly announces secure ports
  • Passes Thunderbird/Outlook auto-configuration
  • Uses correct TLS certificates
  • Eliminates insecure channels

Most importantly:

  • These settings survive reboots
  • CyberPanel will not overwrite them
  • They do not break updates
Share:

Related Posts