How to use Let's Encrypt certificate for Exim and Dovecot

Because it's not really default behaviour. Next to that if you change servers you might get another hostname or might need to change it and then everybody has to change settings again. Lots of users already have problems configuring their email anyway and then they forget what they filled in.
Their own domain name is better to remember then a hostname which does not belong to them.
So it's not as simple as it looks.
 
Hi RayManZ,

I added some domain names to /usr/local/directadmin/conf/ca.san_config but this is not a pretty solution.
I am working on a other solution for now. On simpel domain name like: mailserver.domain.com for people who want to mail with SSL or TLS.

I have not seen any other solution yet. Maybe Martynas (smtalk) is working on another solution.

Regards.
 
Last edited:
I experienced another annoying "problem" with the LE certificates... I myself use Thunderbid and K9 Mail and both programs keep informing me I have to accept a new certificate and this occurs every 2 months. When I click accept the notification is gone, but like I said, 2 months later (when the license is renewed), the message comes again. Partially the cause of this is because the certificate was created for the hostname of my server and not the domains running on the server. But besides that also the startdate and enddate of the certificate do matter, I guess...?

So, when I think it's annoying, I'm sure my customers think so too (or worse!). That's why I am considering to use the old self-signed certificate again... Just accept it once and you're done...
Or does anyone have another, prettier solution?

Danny
 
Well, TB never ask to validate a valid certificate, so i guess you use a different mail server (different from the certificate one), and that's why you get asked to accept it every 3 months.

Ensure to use the right mail server name ;)

Regards
 
Thought so... Than it's the same problem Dennis has... :(

My certificate is only valid for mail.servername.eu, and for almost all hosted domains I use mail.domain.ext for smtp. So yes, TB needs to ask permission to accept the certificate :)
And because I'm not the only user on the server I cannot and will not use mail.servername.eu as the only outgoing mailserver for all domains.

Danny
 
Doesn't Exim support multiple certificates as well? Since DirectAdmin already supports multiple domain names for Exim maybe it will also do separate certificates for those domain names?
 
You can add mail.domain.ext to the certificate request in this file: /usr/local/directadmin/conf/ca.san_config

Just add:", DNS:mail.domain.ext"
At the end of the line that start with: subjectAltName

Than just request new certificate with: /usr/local/directadmin/scripts/letsencrypt.sh request $HOSTNAME 4096

Regards
 
Well no, Dannik is complaining about the missmatch with Cert and Host, and he is saying that all user use mail.domain.ext, so he can just simply add mail.domain.ext in the request form for the server certificate, this will add that "hostname" in the certificate and will prevent TB to always ask to confirm a non-matching certificate.

Regards
 
Hi Sellerone,

My apologies, I should have been more clear on this, but Tristan is right. It would have been better if I typed mail.userdomain.ext instead of mail.domain.ext, because this is what I actually ment...

So I registered a certificate for servername.serverdomain.ext (with all other subdomains that are registered automatically like www, mail, ftp, pop3 and smtp), but when a customer wants to send mail using mail.userdomain.ext, then the problem occurs that the certificate does not match. Like mentioned earlier in this thread in april, surely I can add more domains in the ca.san_config. But the I have to do this all manually and what about all domains that my customers add themselves in DirectAdmin? It's not likely I will see all newly created domains instantly so I can't quickly add them manually to ca.san_config (and I don't want to, actually).
Second possible problem with this "workaround" is that a certificate is limited to 100 names and I can imagine that amount is insufficient for some admins...

So it would be nice if there could become an option to use the certificates for userdomain.ext within Exim (the name mail.userdomain.ext can be found in most LE-certficates for userdomains in the end)...

Regards,
Danny
 
Ah ok.. i missunderstood again xD

I got your point, i think that for now is not posisble but maybe smtalk will come out with a workaround/fix.

Regards
 
Never mind, can happen :)

I sure hope smtalk will find a find a workaround/fix :)
(and many others with me I guess)

Regards,
Danny
 
What could the possible locations be of my exim ssl cert? When i connect with Outlook it says my cert is expired, but when i look at the cert in etc/exim.cert it's valid.
Could there be some kind of cache or can it be somewhere else?

Server is mail.thalent.nl
 
Is your cert valid when you test it with SSLLabs? Is outlook using your server-signed certificate or your hostname certificate?
 
I have found a simple solution for using letsencrypt with exim and dovecot.

1) edit /etc/exim.conf

Code:
#tls_certificate = /etc/exim.cert
#tls_privatekey = /etc/exim.key
tls_privatekey = ${if exists{/etc/exim.key.${tls_sni}}{/etc/exim.key.${tls_sni}}{/etc/exim.key}}
tls_certificate = ${if exists{/etc/exim.cert.${tls_sni}}{/etc/exim.cert.${tls_sni}}{/etc/exim.cert}}

2) enable letsencrypt
3) create a letsencrypt certificate and ensure you create for mail.example.com checking it in avaliable domains list in home > SSL Certificate
4) enable EXIM_SNI and DOVECOT_SNI in directadmin.conf
5) enable SNI for the domain mail.example.com in directadmin interface in home > SSL Certificate
6) create symlink in /etc/exim.cert.mail.example.com --> /usr/local/directadmin/data/users/example/domains/example.com.cert.combined
7) create symlink in /etc/exim.key.mail.example.com --> /usr/local/directadmin/data/users/example/domains/example.com.key
8) create both symlink for all the domains you want to SSL as you want
Code:
9) service exim restart
10) service dovecot restart
11) cd /usr/local/directadmin/custombuild
12) ./build update
13) ./build dovecot_conf

Thats all, you have your domains with SSL cert enable and when letsencrypt autorenew they update automaticaly .cert.combined and .key
 
Just Tried the above manual works great!
When can we expect this in DirectAdmin. We have now many problems with phones that auto select https and it will not work.

Create Symlinks:

Code:
ln -s /usr/local/directadmin/data/users/<USERNAME>/domains/DOMAIN.COM.key /etc/exim.key.mail.DOMAIN.COM
ln -s /usr/local/directadmin/data/users/<USERNAME>/domains/DOMAIN.COM.cert.combined /etc/exim.cert.mail.DOMAIN.COM
 
Just got word back from John they're looking at this implementation:

Code:
tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}

instead of:
Code:
tls_certificate=/etc/exim.cert
tls_privatekey=/etc/exim.key

But he passed it on to Martynas so let's hope he'll implement this change so we can test it out.
 
Back
Top