Dovecot SSL not trusted/no SNI

Freddy

Verified User
Joined
Apr 14, 2016
Messages
119
I have Let's Encrypt certificates installed on my DirectAdmin server. This was never any problem and everything worked fine. Since last tuesday my certificates renewed automatically and since that time Dovecot is giving problems. When I use a phone to read my e-mail through POP3 or IMAP it says that the certificate is not trusted. Googling around I think that this is a problem with the CA certificate.

I've checked my certificate using: https://certlogik.com/ssl-checker/
It tells me that my certificate is not trusted. All other tests or fine.

My Dovecot.conf says:
ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
ssl_key = </etc/httpd/conf/ssl.key/server.key

In that same /etc/httpd/conf/ssl.crt folder is also a server.ca file present. So I added the following line to the Dovecot.conf file:

ssl_ca = </etc/httpd/conf/ssl.crt/server.ca

After restarting Dovecot the ssl-checker on certlogik says everything is fine and the certificate is now trusted. Huray!

But... after testing mail on the phone again I get another error telling me the hostname is invalid for this certificate. The certificate is for my server hostname (like: server01.hoster.com) and my clients connect with their own hostname (like: imap.clientdomain.com). Is this an SNI problem? If yes, how to solve this from Dovecot?
 
I now see that there is a new feature: https://www.directadmin.com/features.php?id=1889

This is probably why my default configuration stopped working. I think this is a bug because This feature shouldn't be broken after a DA update! It seems that the CA certificate is not part of the Dovecot certificate by default.

I will now try to enable dovecot_sni to see if that resolves my problem.
 
I have followed the instructions on https://www.directadmin.com/features.php?id=1889 to get SNI working for Dovecot, but I have failed (or the instructions have failed).

How to manually check if everything is in the right place? Certificate locations, Dovecot config file pointing to the right location, that kind of stuff.
 
Is there nobody who can tell me more about this problem?

I really want to get rid of the certificate error for my clients when they use their own domain name.
 
i made a workaround with the use of the servers certificate instead of standard settings as mail.customer.com whatever now i use eg. serv12.serverdomain.com
 
I also had issues with this untrusted certificate stuff with a few users of mine which I mistakenly had given a secure mail-enviroment. Or so I thought.
Everytime a certificate got renewed, their mailprogram showed a not trusted error.

Edit: I also started telling clients to use the server hostname as mail-server instead.

Also, outsent emails by users were simply not being delivered sometimes without any error-notice at other (Dutch / KPN) mailproviders who have very strict DMARC/DKIM policies.

But after the latest DA-update and following the steps of rebuilding Exim and Dovecot, most of the problems went away and EXIM/Dovecot seem to properly handle the certificates now.
No complaints of emails that haven't been deliverd anymore, and also my serverm is seen as trusted in the Dmarc reports I'm getting.
https://dmarcian.com/dmarc-xml/
 
That's all depending on your setup. After you enabled the Dovecot SNI you need to re-issue Let's Ecnrypt certs if they originally miss mail., pop., smtp. as common names. The feature does not automatically updates your certs to include all those sub-domains.

I've installed the feature and re-issued certs for my users and clients, and none of them reported any problem.
 
That's all depending on your setup. After you enabled the Dovecot SNI you need to re-issue Let's Ecnrypt certs if they originally miss mail., pop., smtp. as common names. The feature does not automatically updates your certs to include all those sub-domains.

I've installed the feature and re-issued certs for my users and clients, and none of them reported any problem.

I think that the biggest problem is that my Dovecot is not using the domain certificate but the server certificate instead. I have enabled SNI so it should be using the domain certificate am I right? But when I check the certificate using this tool the certificates Common Name (CN) is my servername.
 
Do you see your domain in /etc/dovecot/conf/sni/ ?

The tool does not show a valid cert for my server too. This way

Code:
openssl s_client -starttls imap -connect [B]domain.com[/B]:143 -servername [B]domain.com[/B]

I see a valid cert from my domain.com.
 
Do you see your domain in /etc/dovecot/conf/sni/ ?

The tool does not show a valid cert for my server too. This way

Code:
openssl s_client -starttls imap -connect [B]domain.com[/B]:143 -servername [B]domain.com[/B]

I see a valid cert from my domain.com.

The /etc/dovecot/conf location does not even exist. The closest I have is /etc/dovecot/dovecot.conf and a readme file.
I tried your openssl command and it showed me my server certificate and not a domain certificate.

I'm running Dovecot version 2.2.29.1 on CentOS 6.0 64-Bit with DirectAdmin version 1.51.3.
 
After reviewing the instructions I see that the command ./build dovecot_conf is not working for me. I'm using custombuild 1.2.41.
I have considered updating to custombuild 2 but I don't like risking my production server to failure.
 
Last edited:
Freddy i have the same problem.

So the conclusion is that SNI for Dovecot (https://www.directadmin.com/features.php?id=1889) is not working?
I don't really get it because my clients never had any problems connecting until DirectAdmin updated to version 1.51. Didn't Dovecot use SSL before that update?

Freddy i have the same problem. I know what your problem is and i also want a solution as soon as possible.
This is a bug. SNI at Dovecot is not working. You are right.

I don't have the solution, but i'm also searching.

mail.domain.com is using server certificate. Not the domain certificate. For that reason clients can't connect at some devices or getting SSL errors.

I'm using:
DirectAdmin 1.53.0
Dovecot 2.3.1 (8e2f634)
Custombuild 2.0.0 (rev: 1864)
 
Last edited:
Back
Top