Lets Encrypt - Not working for mail

sky

sky

Verified User
Joined
Nov 12, 2004
Messages
338
Hello

The mail.domain.com never seams to have a valid SSL certificate.

I tried creating the certificate from the command line with :
Code: 
./letsencrypt.sh request domain.com 4096

I tried with the DA interface under SSL section.

The certificat always have a Certificate name mismatch.
For example with mail.hope.ajk-hosting.com
hope.ajk-hosting.com is the server name.

But the same problem with or without hope. ...

Can check it out here : https://www.sslshopper.com/ssl-checker.html#hostname=mail.hope.ajk-hosting.com

The simple domains work fine.
So do sub-domains most of the time.
But not the mail part.

Another question is : how can i cleanup properly the ssl for a domain, by this i mean : remove it complety. Do i have to delete all the .cert, .key, etc... files manualy ?

Thx for any help.
 
Dovecot and Exim (So, the mail servers) doesn't still have the funcionality for the SSL Certificates on a per-domain basis, this functionality will be included in next release that should come out in the next few days.

Regarding your second question, a new certificate overwrite the previous one, if you wanna manually delete it (i don't see the point but ok) you need to manually remove the files, but that may create issue with the configurations so i really discourage that.

Best regards
 
Hello

Ok, ill wait for a fiew days.
Thank-you for your reply.
 
Hello

Ok, i have generated the ssl lets encrypt again for my desired domain. (ajkholdings.net)
i have added dovecot_sni=1 and exim_sni=1
done a rewrite conf for dovecot and exim

i still have a error for the mail sub domain mail.ajkholdings.net
error : https://www.sslshopper.com/ssl-checker.html#hostname=mail.ajkholdings.net

Thx for all help :)
The ssl is working great for apache, but this email thing is a pain because this error is far worse than a self signed ssl certificate because all email clients do not like ssl errors and will NOT stop nagging about it :)
 
Hello

I added dovecot_sni=1 and exim_sni=1
I figured that ment DA would work all that stuff out on it's own.
Is that not the case ?
I know it's beta, but still.
 
The exim one yes, it is still in Beta and you can use the script which is in the thread i linked to you.

For dovecot you can use this: https://www.directadmin.com/features.php?id=1889

For existing domains once you have enabled dovecot_sni=1 you need to run:
echo "action=rewrite&value=dovecot_sni" >> /usr/local/directadmin/data/task.queue
And let CB rewrite the confs for the new dovecot options with:
/usr/local/directadmin/custombuild/build dovecot_conf

Best regards
 
sky said:
...
The ssl is working great for apache, but this email thing is a pain because this error is far worse than a self signed ssl certificate because all email clients do not like ssl errors and will NOT stop nagging about it :)
Click to expand...


I agree with this.
You think you do 'good' by providing a safe(r) email-environment, but when people see the 'Can't confirm identity' or 'Not Trusted' errors pop-up everytime in their mailprograms, that safety-image goes out the window very fast.

It makes hosters look like hacks in the eyes of their clients because it looks like they don't have their 'sht' together.
This hack here is having issues with some clients as well.
 
That's up to you to configure your server with autodiscover and autoconfig to suggest a valid domain with SSL/TLS installed for users to connect to from their mail programs. Directadmin has no solution for this as of yet.
 
It's good that the help page exists now. Yes, I saw this example in internet and I've got a working solution based on it (it covers autodiscover and autoconfig).

Thanks for your input.
 
Hello
Thanks for your answers.
So it's not exactly as i thought. :)
I'll try this out and get something working, the report back.
I still think a valid ssl is something that needs to exist for email server without going into all this. imho.

see you soon
 
You must log in or register to reply here.
Back
Top