DA 1.52.0 - Let's Encrypt for Secure E-mails

LauwereysM

Verified User
Joined
Sep 18, 2017
Messages
12
Hello,

So for a while now I've been struggling with setting up secure e-mails. I would like to use Let's Encrypt for that. I have a VPS which will host multiple website for customers. All of them need an e-mail address. What would be the correct way to set this up?

These are the steps I've took:

- Freshly installed server.
Hostname: server.domain.com
Nameservers: ns1.domain.com; ns2.domain.com
Centos 7
Exim 4.83
dovecot 2.2.32​
- Update DA to 1.52.0
- Installed CustomBuild 2.0
11 Updates (CB)​
- Via users I add a new domain, enabled SSL, and symbolic link
- I create a new email: [email protected]
- Via file editor I add to /usr/local/directadmin/conf/directadmin.conf:
mail_sni=1
letsencrypt=1​
- Restart directadmin
- Login as root to vps
cd /usr/local/directadmin/custombuild
./build rewrite_confs​
- Update CB
- Users > SSL
- Free & automatic certificate from Let's Encrypt
Common Name: domain.com
E-Mail: [email protected]
Key Size: 4096
Certificate Type: SHA256
domain.com
mail.domain.com
www.domain.com
Certificate for domain.com has been created successfully!​
- Checking https://domain.com and it’s working

So far so good. Now when I'm trying Thunderbird, Opera Mail, or Windows 10 Mail it doesn't want to work. It never sees the certificate. So from what I red is that the host - in my case server.domain.com needs a certificate as well (not sure if this is also the case for DA 1.52.0?).

Code:
Checking [email protected]:

looking up MX hosts on domain "poisonmichael.com"

mail.poisonmichael.com (preference:10)
Trying TLS on mail.poisonmichael.com[77.72.145.219] (10):

seconds		test stage and result
[000.109]		Connected to server
[000.423]	<-- 	220 server.poisonmichael.com ESMTP Exim 4.83 Mon, 09 Oct 2017 13:24:09 +0200
[000.424]		We are allowed to connect
[000.424]	 -->	EHLO checktls.com
[000.532]	<-- 	250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
[000.532]		We can use this server
[000.532]		TLS is an option on this server
[000.532]	 -->	STARTTLS
[000.648]	<-- 	220 TLS go ahead
[000.648]		STARTTLS command works on this server
[000.874]		SSLVersion in use: TLSv1.2
[000.874]		Cipher in use: AES128-SHA256
[000.874]		Connection converted to SSL
[000.876]		
Certificate 1 of 1 in chain:
serialNumber= f7:24:5d:6c:dd:48:bb:07
subject= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
issuer= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
[B][000.876]		Cert VALIDATION ERROR(S): self signed certificate
[000.876]		So email is encrypted but the recipient domain is not verified
[000.876]		Cert Hostname DOES NOT VERIFY (mail.poisonmichael.com != localhost)[/B]
[000.876]		So email is encrypted but the host is not verified
[000.876]	 ~~>	EHLO checktls.com
[000.985]	<~~ 	250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
[000.985]		TLS successfully started on this server
[000.985]	 ~~>	MAIL FROM:<[email protected]>
[001.093]	<~~ 	250 OK
[001.094]		Sender is OK
[001.094]	 ~~>	RCPT TO:<[email protected]>
[001.209]	<~~ 	250 Accepted
[001.210]		Recipient OK, email address proofed
[001.210]	 ~~>	QUIT
[001.318]	<~~ 	221 server.poisonmichael.com closing connection

I've tried:

https://help.directadmin.com/item.php?id=629
Code:
# cd /usr/local/directadmin/scripts
# ./letsencrypt.sh request your.hostname.com 4096
Domain does not exist on the system. Unable to find server.poisonmichael.com​ in /etc/virtual/domainowners. Exiting...
# cd /etc/virtual/domainowners
bash: cd: /etc/virtual/domainowners: Not a directory

Then I found https://help.directadmin.com/item.php?id=645 but it looks like adding this to the file /usr/local/directadmin/conf/ca.san_config (which doesn't exist) is an "old method"?

Mail log
Code:
2017-10-09 10:48:01 exim 4.83 daemon started: pid=10735, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
2017-10-09 10:50:07 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 10:54:45 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 10:59:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 <= [email protected] U=diradmin P=local S=897 T="New Message: DirectAdmin has been updated" from <[email protected]> for [email protected]
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 ** [email protected] F=<[email protected]>: Unrouteable address
2017-10-09 11:02:09 1e1Twv-0002sK-Rz <= <> R=1e1Twv-0002sC-Q2 U=mail P=local S=1789 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-09 11:02:09 1e1Twv-0002sK-Rz => :blackhole: <[email protected]> R=system_aliases
2017-10-09 11:02:09 1e1Twv-0002sK-Rz Completed
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 Completed
2017-10-09 11:03:01 1e1Txl-0002st-KP <= [email protected] U=diradmin P=local S=917 T="New Message: A system issue requires your attention" from <[email protected]> for [email protected]
2017-10-09 11:03:01 1e1Txl-0002st-KP ** [email protected] F=<[email protected]>: Unrouteable address
2017-10-09 11:03:01 1e1Txl-0002sx-Ll <= <> R=1e1Txl-0002st-KP U=mail P=local S=1809 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-09 11:03:01 1e1Txl-0002sx-Ll => :blackhole: <[email protected]> R=system_aliases
2017-10-09 11:03:01 1e1Txl-0002sx-Ll Completed
2017-10-09 11:03:01 1e1Txl-0002st-KP Completed
2017-10-09 11:04:12 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:08:57 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:13:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:18:29 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:22:58 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:27:59 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:33:21 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:38:25 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:39:23 1e1UWx-0001P1-VX <= [email protected] U=diradmin P=local S=1962 T="Your account for poisonmichael.com is now ready for use." from <[email protected]> for [email protected]
2017-10-09 11:39:24 1e1UWx-0001P1-VX => reseller <[email protected]> F=<[email protected]> R=localuser T=local_delivery S=2098
2017-10-09 11:39:24 1e1UWx-0001P1-VX Completed
2017-10-09 11:39:24 1e1UWy-0001P6-09 <= [email protected] U=diradmin P=local S=1989 T="Creator Duplicate: Your account for poisonmichael.com is now ready for use." from <[email protected]> for [email protected]
2017-10-09 11:39:24 1e1UWy-0001P6-09 => admin <[email protected]> F=<[email protected]> R=localuser T=local_delivery S=2129
2017-10-09 11:39:24 1e1UWy-0001P6-09 Completed
2017-10-09 11:43:17 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:48:18 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:53:14 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:58:08 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])

DNS
Code:
Name                    Type    Value
ftp                     A       77.72.145.219   
mail                    A       77.72.145.219   
ns1.poisonmichael.com.  A       77.72.145.219   
ns2.poisonmichael.com.  A       77.72.145.219   
poisonmichael.com.      A       77.72.145.219   
pop                     A       77.72.145.219   
smtp                    A       77.72.145.219   
www                     A       77.72.145.219   
poisonmichael.com.      NS      ns1.poisonmichael.com.  
poisonmichael.com.      NS      ns2.poisonmichael.com.  
poisonmichael.com.      MX      10 mail 
poisonmichael.com.      TXT     "v=spf1 a mx ip4:77.72.145.219 ~all"

So my guess is the first steps I took are ok. But for e-mails to work I have to enable the certificate on the host? Also what settings should I have in CustomBuild? I left everything as default: http://prntscr.com/gv4u50

Kind regards,
Michael
 
Hello Michael,

Try

Code:
echo `hostname` >> /etc/virtual/[COLOR=#333333]domains[/COLOR]

or


Code:
echo `server.poisonmichael.com` >> /etc/virtual/[COLOR=#333333]domains[/COLOR]

and try letsencrypt script once more.
 
Last edited:
I'm struggling with the same problem. The certificate that I receive is the server certificate and not the domain certificate.
I have been following this new feature: https://www.directadmin.com/features.php?id=2019

One of the problems I see is that you cannot do this with Let's Encrypt. LE wants to validate you as the owner for the domain but when I check the box for "pop3.domain.com" then it cannot be validated because the website pop3.domain.com does not exist. So how can I generate LE certificates for mail?
 
I don't see a "server" dns record for server hostname in the DNS settings, is that correct? Also: have you enabled exim=true in custom build options? Your exim version is 2-3 years old! The latest version is 4.89. :)
 
So the command of zEitEr was working. But then again I ran into an other problem of not finding a file. I re-installed the server again and this time I installed Let's Encrypt on the host BEFORE I installed in on the domain. No problems this time around.

I checked my e-mail again on https://www.checktls.com/perl/live/TestReceiver.pl and it was complaining about:
Code:
[000.993]       Cert Hostname DOES NOT VERIFY (mail.poisonmichael.com != server.poisonmichael.com | DNS:server.poisonmichael.com)
[000.993]       So email is encrypted but the host is not verified

I found a thread and tried it:
Code:
# vi /usr/local/directadmin/conf/ca.san_config
Add: ", DNS:mail.poisonmichael.com" at the end of the line that start with: subjectAltName
./letsencrypt.sh request server.poisonmichael.com 4096

And this was working fine! I tried the test on checktls.com and no more problems.

However, when I'm trying to add my e-mail account on Thunderbird it keeps telling me: "Thunderbird failed to find the settings for your email account." Something I had since the beginning.

Screenshot: http://prntscr.com/gvohky

I've tried it also by changing it to STARTTLS. (These were the automatically detected settings: http://prntscr.com/gvoh8k)

Also on Opera Mail, I can add my account with SSL options selected but when I try to send a mail it does nothing. It stays in the outbox folder. Receiving mails is not a problem.

And the strange thing is. When I try Windows 10 Mail with SSL options selected it sends mails without a problem.

vi /var/log/maillog:
Code:
2017-10-10 16:58:57 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:05:28 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:12:10 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:14:08 login authenticator failed for (User) [37.49.224.201]: 535 Incorrect authentication data (set_id=postmaster)
2017-10-10 17:18:52 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:25:32 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:32:06 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
2017-10-10 17:38:45 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:39:01 1e1wcX-00025Y-5T <= [email protected] U=diradmin P=local S=1000 T="New Message: Brute-Force Attack detected in service log from IP(s) 218.65.30.251 on User(s) root" from <[email protected]> for [email protected]
2017-10-10 17:39:01 1e1wcX-00025Y-5T ** [email protected] F=<[email protected]>: Unrouteable address
2017-10-10 17:39:01 1e1wcX-00025c-7i <= <> R=1e1wcX-00025Y-5T U=mail P=local S=2305 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-10 17:39:01 1e1wcX-00025c-7i => :blackhole: <[email protected]> R=system_aliases
2017-10-10 17:39:01 1e1wcX-00025c-7i Completed
2017-10-10 17:39:01 1e1wcX-00025Y-5T Completed
2017-10-10 17:45:24 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:49:25 plain authenticator failed for (avdlhckueo) [185.110.241.27]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:49:25 login authenticator failed for (avdlhckueo) [185.110.241.27]: 535 Incorrect authentication data ([email protected])
2017-10-10 17:51:54 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data ([email protected])

SMTP protocol synchronization error? Hmm on Stack Overflow I found following:

Judging from the error log entry, your mail client 10.7.2.137 is trying to establish a secure (TLS) connection but your Exim server is not expecting it.

Most probably, TLS is not configured properly in your Exim configuration file. You can refer to http://www.exim.org/exim-html-curre...-encrypted_smtp_connections_using_tlsssl.html for tutorial.

The solution is, therefore, to edit your Exim configuration file, making sure TLS certificates are defined and tls_advertise_hosts is set; and then restart Exim.​

I feel like this is a simple fix somehow?

Kr
Michael
 
Missing break lines? Missing final break line?

Via file editor I add to /usr/local/directadmin/conf/directadmin.conf

Missing enable_ssl_sni=1 in directadmin.conf ?

If not... then ready to provide more details and debug ?

Code:
./build options
?
Code:
./build version | grep -i installed
?
Code:
/usr/local/directadmin/directadmin c | grep sni
?
Code:
grep ^tls_ /etc/exim.variables.conf
?
Code:
cat /etc/virtual/snidomains
?
Code:
ls -la /etc/dovecot/conf/sni/
?
 
enable_ssl_sni=1 was not there I've added it but same result :eek:

And there is a line break at the end (had this problem before :D)

./build options
Code:
Apache: 2.4.28
mod_ruid2: 0.9.8
ModSecurity: no
Dovecot: 2.2.32
Dovecot configuration: no
AWstats: no
Exim: 4.89
exim.conf update: no
BlockCracking: no
Easy Spam Fighter: no
SpamAssassin: 3.4.1
SpamAssassin rule updates: daily
ClamAV: no
MySQL: no
MySQL backup: yes
MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
MySQL compress backups: no
PHP (default): 7.1 as mod_php
phpMyAdmin: 4.7.4-all-languages
ProFTPD: no
Pure-FTPd: 1.0.46
RoundCube webmail: 1.3.1
Replace "php.ini" with './build all' and './build php_ini': no
Auto updates/notifications: no
Run "clean" every time: yes
Run "clean_old_webapps" every time: yes
Run "clean_old_tarballs" every time: yes
Show texts in bold: yes
SquirrelMail: no
Zend Guard Loader: no
ionCube loader: no
Suhosin: no

./build version | grep -i installed
Code:
[root@server custombuild]# ./build version | grep -i installed
[root@server custombuild]# ./build version
2.0.0 (rev: 1734)

/usr/local/directadmin/directadmin c | grep sni
Code:
enable_ssl_sni=1
mail_sni=1

grep ^tls_ /etc/exim.variables.conf
Code:
grep: /etc/exim.variables.conf: No such file or directory

[root@server etc]# ls
abrt                     DIR_COLORS               GREP_COLORS    localtime                 opt                     rc.d            sudo-ldap.conf
adjtime                  DIR_COLORS.256color      groff          login.defs                os-release              rc.local        sysconfig
aliases                  DIR_COLORS.lightbgcolor  group          logrotate.conf            pam.d                   rdma            sysctl.conf
aliases.db               dnsmasq.conf             group-         logrotate.d               passwd                  redhat-release  sysctl.d
alternatives             dnsmasq.d                grub2.cfg      lsm                       passwd-                 resolv.conf     systemd
anacrontab               dovecot                  grub.d         lvm                       pinforc                 rndc.key        system_filter.exim
asound.conf              dovecot.conf             gshadow        machine-id                pkcs11                  rpc             system-release
at.deny                  dovecot.conf.old         gshadow-       magic                     pki                     rpm             system-release-cpe
audisp                   dracut.conf              gss            mail                      plymouth                rsyncd.conf     tcsd.conf
audit                    dracut.conf.d            host.conf      mailcap                   pm                      rsyslog.conf    terminfo
avahi                    e2fsck.conf              hostname       mail.rc                   polkit-1                rsyslog.d       timezone
bash_completion.d        environment              hosts          makedumpfile.conf.sample  popt.d                  rwtab           tmpfiles.d
bashrc                   ethertypes               hosts.allow    man_db.conf               ppp                     rwtab.d         trusted-key.key
binfmt.d                 exim.cert                hosts.deny     mime.types                prelink.conf.d          sasl2           tuned
centos-release           exim.conf                hostsE         mke2fs.conf               printcap                scl             udev
centos-release-upstream  exim.conf.orig           hosts.tmp      modprobe.d                profile                 securetty       updatedb.conf
chkconfig.d              exim.conf.temp           httpd          modules-load.d            profile.d               security        usb_modeswitch.conf
chrony.conf              exim.key                 init.d         motd                      proftpd.conf            selinux         usb_modeswitch.d
chrony.keys              exim.pl                  inittab        mtab                      proftpd.conf.back       services        vconsole.conf
cifs-utils               exim.pl.temp             inputrc        my.cnf                    proftpd.passwd          sestatus.conf   vimrc
cron.d                   exim.spamassassin.conf   iproute2       my.cnf.d                  proftpd.vhosts.conf     setuptool.d     virc
cron.daily               exports                  issue          my.cnf.rpmsave            protocols               shadow          virtual
cron.deny                favicon.png              issue.net      named                     pure-ftpd.conf          shadow-         wgetrc
cron.hourly              filesystems              kdump.conf     named.conf                pure-ftpd-dhparams.pem  shells          wpa_supplicant
cron.monthly             firewalld                kernel         named.iscdlv.key          pureftpd.pdb            skel            X11
crontab                  fonts                    krb5.conf      named.rfc1912.zones       pure-ftpd.pem           smartmontools   xdg
cron.weekly              fprintd.conf             ld.so.cache    named.root.key            python                  sos.conf        xinetd.conf
crypttab                 fstab                    ld.so.conf     nanorc                    rc0.d                   ssh             xinetd.d
csh.cshrc                fstabE                   ld.so.conf.d   NetworkManager            rc1.d                   ssl             yum
csh.login                ftpusers                 libaudit.conf  networks                  rc2.d                   statetab        yum.conf
dbus-1                   gcrypt                   libnl          nsswitch.conf             rc3.d                   statetab.d      yum.repos.d
default                  gdbinit                  libreport      nsswitch.conf.bak         rc4.d                   sudo.conf
depmod.d                 gdbinit.d                libuser.conf   ntp                       rc5.d                   sudoers
dhcp                     gnupg                    locale.conf    openldap                  rc6.d                   sudoers.d

cat /etc/virtual/snidomains
Code:
[root@server etc]# cat /etc/virtual/snidomains
cat: /etc/virtual/snidomains: No such file or directory

[root@server etc]# cd virtual
[root@server virtual]# ls
bad_sender_hosts     blacklist_senders       domains       limit_unknown      pophosts         skip_rbl_domains  user_limit         whitelist_hosts
bad_sender_hosts_ip  directadmin.transip.us  limit         majordomo          pophosts_user    usage             whitelist_domains  whitelist_hosts_ip
blacklist_domains    domainowners            limit.rpmnew  poisonmichael.com  skip_av_domains  use_rbl_domains   whitelist_from     whitelist_senders

ls -la /etc/dovecot/conf/sni/
Code:
[root@server virtual]# ls -la /etc/dovecot/conf/sni/
ls: cannot access /etc/dovecot/conf/sni/: No such file or directory


[root@server virtual]# cd /etc/dovecot
[root@server dovecot]# ls
conf  conf.d  dovecot.conf  README
[root@server dovecot]# cd conf
[root@server conf]# ls
imap_mail_plugins.conf  limits.conf  lmtp_mail_plugins.conf            mail_plugins.conf  ssl.conf
ip.conf                 lmtp.conf    mail_max_userip_connections.conf  protocols.conf

I hope this helps?

Kr
Michael
 
Please make sure the hostname is in /etc/virtual/domains, but not in ​/etc/virtual/domainowners.
 
But how to generate a Let's Encrypt SSL certificate for a hostname that does not have a website? I want my mail users to connect to their own pop3.domain.com hostname for receiving mail. But when I generate a LE certificate the "pop3" hostname gives an error because it cannot be validated.

My certificates work fine for the ones that do generate. I can test this at https://certlogik.com/ssl-checker/ by entering "www.domain.com:995" in the test field. But "pop3.domain.com:995" fails because that name is not on the certificate.

[edit] As a workaround I have created a web-subdomain for the pop3 hostname and generated the certificate again. Now my pop3 users do get a valid certificate.
 
Last edited:
@Freddy, Are you talking about the server hostname? If so, just do:

Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.hostname.com 4096
 
Michael,

I hope this helps?

Kr
Michael


Run this:

Code:
service directadmin restart

cd /usr/local/directadmin/custombuild
./build clean
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set dovecot_conf yes
./build exim_conf
./build dovecot_conf

echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
 
@ditto, No, the server hostname is not a problem. It's a customer domain name. In theory, this should work for all customer domain names.
 
I understand. But you mention they need a website to get Let's Encrypt ssl certificate, but that is not needed if you have letsencrypt=1 in directadmin.conf (that is the recommended setting). All that is needed is to add an A record for the domain or subdomain, both with and without www. You do not need to create a "web-subdomain".
 
Last edited:
Run this:

Code:
service directadmin restart

cd /usr/local/directadmin/custombuild
./build clean
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set dovecot_conf yes
./build exim_conf
./build dovecot_conf

echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue

Executed that but still facing the same problem. Maybe it's something DNS related?

Exim log:
Code:
2017-10-13 17:04:28 H=166.62.124.177.static.horizonstelecom.com.br (server.poisonmichael.com) [177.124.62.166] rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]

My reversed DNS is set to server.poisonmichael.com

DNS:
Code:
ftp	A	77.72.145.219	
mail	A	77.72.145.219	
ns1.poisonmichael.com.	A	77.72.145.219	
ns2.poisonmichael.com.	A	77.72.145.219	
poisonmichael.com.	A	77.72.145.219	
pop	A	77.72.145.219	
server	A	77.72.145.219	
smtp	A	77.72.145.219	
www	A	77.72.145.219	
poisonmichael.com.	NS	ns1.poisonmichael.com.	
poisonmichael.com.	NS	ns2.poisonmichael.com.	
poisonmichael.com.	MX	10 mail	
poisonmichael.com.	TXT	"v=spf1 a mx ip4:77.72.145.219 ~all"

Kr,
Michael
 
Michael,

The error:

Code:
rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]
hardly has anything to do with DNS.

You should not use the same hostname on 177.124.62.166 if you have it on 77.72.145.219. The hostnames should differ, e.g.:


server.poisonmichael.com and server2.poisonmichael.com
 
Michael,

The error:

Code:
rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]
hardly has anything to do with DNS.

You should not use the same hostname on 177.124.62.166 if you have it on 77.72.145.219. The hostnames should differ, e.g.:


server.poisonmichael.com and server2.poisonmichael.com

I don't even know where that IP (177.124.62.166) comes from. I just have one VPS (77.72.145.219) that uses poisonmichael.com. Would the "rejected EHLO" error be the main cause I can't send e-mails? Or is there an other log I can check?

Kr
Michael
 
If the IP 177.124.62.166 is not that you use to connect to your server then you should ignore it for at least now. It's not related to your issue.

So to recap...

- a cert for main domain valid - checked here:
https://ssl-tools.net/mailservers/poisonmichael.com
- a cert for hostname is valid too - checked here: https://ssl-tools.net/mailservers/server.poisonmichael.com

So what is not working now? What error do you have on a client side?
 
So what is not working now? What error do you have on a client side?

So on Thunderbird:
Adding new e-mail address: [email protected]

It automatically searches for the settings and comes up with:
Incoming: IMAP, mail.poisonmichael.com, STARTTLS
Outgoing: SMTP, smtp.poisonmichael.com, No Encryption
Username: michael

It should use some sort of security so I manually change it to:

Incoming: IMAP, mail.poisonmichael.com, port 993, SSL/TLS, Normal password
Outgoing: SMTP, mail.poisonmichael.com, port 465, SSL/TLS, Normal password
Username: (in and outgoing) [email protected]

When I test this config Thunderbird tells me: "Thunderbird failed to find the settings for your email account."

On Opera Mail:

I add the e-mail and set:

Incoming: mail.poisonmichael.com
Outgoing: mail.poisonmichael.com
And both set to "Use secure connection (TLS)"

When I try to send an e-mail it shows connecting at the bottom and then shows nothing with the mail still in the outbox, no message.

On Windows Mail however it does send the e-mail.

I'm not really sure what is going on anymore :p I tried so many things now.

Kr,
Michael
 
Ok so I figured out what the problem was. The weird thing was that Windows Mail was working, but Thunderbird and Opera Mail wasn't. After some looking around it seemed that on:

Thunderbird:
In the "Account Settings" it has a section called "Outgoing Server (SMTP)" and if you did a lot of testing with different e-mail accounts it stores them all in there. When I set the outgoing server to mail.domain.com:587 instead of mail.domain.com | 587 | STARTTLS | Normal password it was letting me use the account. Then in the "Outgoing Server (SMTP)" section I edited the default server with the correct login, and everything was working.

Opera Mail:
This was pretty easy, if you enabled TLS when creating your account in Opera it uses port 25 as default. For a lot of VPN hosts this port is blocked due to spam so I had to manually set it to 587 and it worked.

I'll post a reply with all the steps I did to get the mail up and running for those who are struggling with this setup.

Thanks to all of you for the help. Great community!

Kr,
Michael
 
These are the steps I took to get everything to work:

Note that all of the commands are executed via ROOT. Use su root to login. And it's done on a freshly installed server.


Updates
Visit the server via IP:2222

Do the latest update via Licensing / Updates > Update DirectAdmin.
You will get a message once it’s finished.


CustomBuild 2.0
Install CustomBuild 2.0 via the Plugin Manager.
URL: http://www.custombuild.eu/plugin/custombuild.tar.gz

Enter the Admin’s password.

Add Plugin.

You will now see a CustomBuild 2.0 option under Extra Features.

Note: Do not do the updates yet. We will change some options.


Administrator Settings
Here we have to make sure the nameservers are set correctly. Mostly like:
ns1.domain.com
ns2.domain.com​

Not: ns1.server.domain.com

Save these changes.


CustomBuild 2.0
Go to Edit Options.
Choose a PHP version you want.

Mail Settings:
exim > yes
eximconf > yes
eximconf_release > 4.5 (or higher)
sa_update > daily
dovecot > yes
dovecot_conf > yes​

Save the changes.

Update Software > Update all

Note: This can take a while.


Domain
Domain Administration
Add Another Domain
Domain: domain.com
Secure SSL​


DNS
Go to DNS Management

Add:
server A > record > Server IP
domain.com > PTR > v=DMARC1; p=none​

For testing you can place TTL to 60 (1 min)


Enable Let’s Encrypt
First make sure server.domain.com (your hostname) is reachable and shows: “Apache is functioning normally”.

Under the Admin Level go to File Editor.

Select a file to edit: /usr/local/directadmin/conf/directadmin.conf

Show File

Before you can edit this file you have to unlock it by entering the ROOT password and pressing the Authenticate button.

Once you’ve done that go to the file again and add:
mail_sni=1
letsencrypt=1​

Note: Make sure there is a space on the last line!

Save the file.
Restart Directadmin via Service Monitor.

Add the /.well-known Alias:
Code:
cd /usr/local/directadmin/custombuild
./build rewrite_confs

If you now check SSL Certificates under the User Level section it should show the option:
Free & automatic certificate from Let's Encrypt. We are not going to use this yet.


Create a certificate for the host
We are now going to set a certificate for our host (server.domain.com).

Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096

To not get the error below you have to add the mail server to the ca.san_config file.

Error:
Code:
Cert Hostname DOES NOT VERIFY (mail.domain.com != server.domain.com | DNS:server.domain.com)
So email is encrypted but the host is not verified

Edit the ca.san_config file.

Code:
vi /usr/local/directadmin/conf/ca.san_config

Add: ", DNS:mail.domain.com" at the end of the line that start with: subjectAltName (Use ECS > :wq to save)

Then create the certificate again.

Code:
cd /usr/local/directadmin/scripts
./letsencrypt.sh request server.domain.com 4096

Note: it will show “Getting challenge for mail.domain.com from acme-server…”


Create an email address
Under the User Level section go to E-Mail Accounts and create a new email address.

You can test your certificate with: https://www.checktls.com/perl/live/TestReceiver.pl

Note: Everything should be OK (green)


Install DKIM
Download:

Code:
cd /etc
wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf

Restart exim.

Enable it by adding dkim=1 to the /usr/local/directadmin/conf/directadmin.conf file.

Restart Directadmin.

At this point, any domain created after the change should have the DKIM keys created, and dns zones updated. For existing domains, you can either enable it individually for each domain, one-by-one:

Code:
cd /usr/local/directadmin/scripts
./dkim_create.sh domain.com

Or you can enable it for all of your domains like this:

Code:
echo "action=rewrite&value=dkim" >> /usr/local/directadmin/data/task.queue

Restart your server.

You can test your mail with: http://www.mail-tester.com


Mail clients
Thunderbird:
When adding your account use the SMTP mailserver mail.domain.com:587
When your account is added go to the settings and edit the Outgoing Server (SMTP) option with the correct login details.​

Opera Mail:
When adding your account with TLS option make sure in the Account settings it's using port 587 and not port 25 (default)​


I hope this helps some people out.

Kind regards,
Michael
 
Back
Top