Results 1 to 20 of 20

Thread: DA 1.52.0 - Let's Encrypt for Secure E-mails

  1. #1
    Join Date
    Sep 2017
    Posts
    12

    DA 1.52.0 - Let's Encrypt for Secure E-mails

    Hello,

    So for a while now I've been struggling with setting up secure e-mails. I would like to use Let's Encrypt for that. I have a VPS which will host multiple website for customers. All of them need an e-mail address. What would be the correct way to set this up?

    These are the steps I've took:

    - Freshly installed server.
    Hostname: server.domain.com
    Nameservers: ns1.domain.com; ns2.domain.com
    Centos 7
    Exim 4.83
    dovecot 2.2.32
    - Update DA to 1.52.0
    - Installed CustomBuild 2.0
    11 Updates (CB)
    - Via users I add a new domain, enabled SSL, and symbolic link
    - I create a new email: test@domain.com
    - Via file editor I add to /usr/local/directadmin/conf/directadmin.conf:
    mail_sni=1
    letsencrypt=1
    - Restart directadmin
    - Login as root to vps
    cd /usr/local/directadmin/custombuild
    ./build rewrite_confs
    - Update CB
    - Users > SSL
    - Free & automatic certificate from Let's Encrypt
    Common Name: domain.com
    E-Mail: email@gmail.com
    Key Size: 4096
    Certificate Type: SHA256
    domain.com
    mail.domain.com
    www.domain.com
    Certificate for domain.com has been created successfully!
    - Checking https://domain.com and it’s working

    So far so good. Now when I'm trying Thunderbird, Opera Mail, or Windows 10 Mail it doesn't want to work. It never sees the certificate. So from what I red is that the host - in my case server.domain.com needs a certificate as well (not sure if this is also the case for DA 1.52.0?).

    Code:
    Checking test@poisonmichael.com:
    
    looking up MX hosts on domain "poisonmichael.com"
    
    mail.poisonmichael.com (preference:10)
    Trying TLS on mail.poisonmichael.com[77.72.145.219] (10):
    
    seconds		test stage and result
    [000.109]		Connected to server
    [000.423]	<-- 	220 server.poisonmichael.com ESMTP Exim 4.83 Mon, 09 Oct 2017 13:24:09 +0200
    [000.424]		We are allowed to connect
    [000.424]	 -->	EHLO checktls.com
    [000.532]	<-- 	250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
    250-SIZE 20971520
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    [000.532]		We can use this server
    [000.532]		TLS is an option on this server
    [000.532]	 -->	STARTTLS
    [000.648]	<-- 	220 TLS go ahead
    [000.648]		STARTTLS command works on this server
    [000.874]		SSLVersion in use: TLSv1.2
    [000.874]		Cipher in use: AES128-SHA256
    [000.874]		Connection converted to SSL
    [000.876]		
    Certificate 1 of 1 in chain:
    serialNumber= f7:24:5d:6c:dd:48:bb:07
    subject= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
    issuer= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
    [000.876]		Cert VALIDATION ERROR(S): self signed certificate
    [000.876]		So email is encrypted but the recipient domain is not verified
    [000.876]		Cert Hostname DOES NOT VERIFY (mail.poisonmichael.com != localhost)
    [000.876]		So email is encrypted but the host is not verified
    [000.876]	 ~~>	EHLO checktls.com
    [000.985]	<~~ 	250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
    250-SIZE 20971520
    250-8BITMIME
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250 HELP
    [000.985]		TLS successfully started on this server
    [000.985]	 ~~>	MAIL FROM:<test@checktls.com>
    [001.093]	<~~ 	250 OK
    [001.094]		Sender is OK
    [001.094]	 ~~>	RCPT TO:<test@poisonmichael.com>
    [001.209]	<~~ 	250 Accepted
    [001.210]		Recipient OK, email address proofed
    [001.210]	 ~~>	QUIT
    [001.318]	<~~ 	221 server.poisonmichael.com closing connection
    I've tried:

    https://help.directadmin.com/item.php?id=629
    Code:
    # cd /usr/local/directadmin/scripts
    # ./letsencrypt.sh request your.hostname.com 4096
    Domain does not exist on the system. Unable to find server.poisonmichael.com​ in /etc/virtual/domainowners. Exiting...
    # cd /etc/virtual/domainowners
    bash: cd: /etc/virtual/domainowners: Not a directory
    Then I found https://help.directadmin.com/item.php?id=645 but it looks like adding this to the file /usr/local/directadmin/conf/ca.san_config (which doesn't exist) is an "old method"?

    Mail log
    Code:
    2017-10-09 10:48:01 exim 4.83 daemon started: pid=10735, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
    2017-10-09 10:50:07 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 10:54:45 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 10:59:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:02:09 1e1Twv-0002sC-Q2 <= diradmin@server.poisonmichael.com U=diradmin P=local S=897 T="New Message: DirectAdmin has been updated" from <diradmin@server.poisonmichael.com> for admin@directadmin.transip.us
    2017-10-09 11:02:09 1e1Twv-0002sC-Q2 ** admin@directadmin.transip.us F=<diradmin@server.poisonmichael.com>: Unrouteable address
    2017-10-09 11:02:09 1e1Twv-0002sK-Rz <= <> R=1e1Twv-0002sC-Q2 U=mail P=local S=1789 T="Mail delivery failed: returning message to sender" from <> for diradmin@server.poisonmichael.com
    2017-10-09 11:02:09 1e1Twv-0002sK-Rz => :blackhole: <diradmin@server.poisonmichael.com> R=system_aliases
    2017-10-09 11:02:09 1e1Twv-0002sK-Rz Completed
    2017-10-09 11:02:09 1e1Twv-0002sC-Q2 Completed
    2017-10-09 11:03:01 1e1Txl-0002st-KP <= diradmin@server.poisonmichael.com U=diradmin P=local S=917 T="New Message: A system issue requires your attention" from <diradmin@server.poisonmichael.com> for admin@directadmin.transip.us
    2017-10-09 11:03:01 1e1Txl-0002st-KP ** admin@directadmin.transip.us F=<diradmin@server.poisonmichael.com>: Unrouteable address
    2017-10-09 11:03:01 1e1Txl-0002sx-Ll <= <> R=1e1Txl-0002st-KP U=mail P=local S=1809 T="Mail delivery failed: returning message to sender" from <> for diradmin@server.poisonmichael.com
    2017-10-09 11:03:01 1e1Txl-0002sx-Ll => :blackhole: <diradmin@server.poisonmichael.com> R=system_aliases
    2017-10-09 11:03:01 1e1Txl-0002sx-Ll Completed
    2017-10-09 11:03:01 1e1Txl-0002st-KP Completed
    2017-10-09 11:04:12 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:08:57 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:13:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:18:29 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:22:58 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:27:59 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:33:21 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:38:25 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:39:23 1e1UWx-0001P1-VX <= diradmin@server.poisonmichael.com U=diradmin P=local S=1962 T="Your account for poisonmichael.com is now ready for use." from <diradmin@server.poisonmichael.com> for reseller@poisonmichael.com
    2017-10-09 11:39:24 1e1UWx-0001P1-VX => reseller <reseller@poisonmichael.com> F=<diradmin@server.poisonmichael.com> R=localuser T=local_delivery S=2098
    2017-10-09 11:39:24 1e1UWx-0001P1-VX Completed
    2017-10-09 11:39:24 1e1UWy-0001P6-09 <= diradmin@server.poisonmichael.com U=diradmin P=local S=1989 T="Creator Duplicate: Your account for poisonmichael.com is now ready for use." from <diradmin@server.poisonmichael.com> for admin@server.poisonmichael.com
    2017-10-09 11:39:24 1e1UWy-0001P6-09 => admin <admin@server.poisonmichael.com> F=<diradmin@server.poisonmichael.com> R=localuser T=local_delivery S=2129
    2017-10-09 11:39:24 1e1UWy-0001P6-09 Completed
    2017-10-09 11:43:17 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:48:18 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:53:14 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    2017-10-09 11:58:08 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data (set_id=test@poisonmichael.com)
    DNS
    Code:
    Name                    Type    Value
    ftp                     A       77.72.145.219   
    mail                    A       77.72.145.219   
    ns1.poisonmichael.com.  A       77.72.145.219   
    ns2.poisonmichael.com.  A       77.72.145.219   
    poisonmichael.com.      A       77.72.145.219   
    pop                     A       77.72.145.219   
    smtp                    A       77.72.145.219   
    www                     A       77.72.145.219   
    poisonmichael.com.      NS      ns1.poisonmichael.com.  
    poisonmichael.com.      NS      ns2.poisonmichael.com.  
    poisonmichael.com.      MX      10 mail 
    poisonmichael.com.      TXT     "v=spf1 a mx ip4:77.72.145.219 ~all"
    So my guess is the first steps I took are ok. But for e-mails to work I have to enable the certificate on the host? Also what settings should I have in CustomBuild? I left everything as default: http://prntscr.com/gv4u50

    Kind regards,
    Michael

  2. #2
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,386
    Hello Michael,

    Try

    Code:
    echo `hostname` >> /etc/virtual/domains
    or


    Code:
    echo `server.poisonmichael.com` >> /etc/virtual/domains
    and try letsencrypt script once more.
    Last edited by zEitEr; 10-13-2017 at 03:03 AM. Reason: Correct file is /etc/virtual/domains
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  3. #3
    Join Date
    Apr 2016
    Posts
    16
    I'm struggling with the same problem. The certificate that I receive is the server certificate and not the domain certificate.
    I have been following this new feature: https://www.directadmin.com/features.php?id=2019

    One of the problems I see is that you cannot do this with Let's Encrypt. LE wants to validate you as the owner for the domain but when I check the box for "pop3.domain.com" then it cannot be validated because the website pop3.domain.com does not exist. So how can I generate LE certificates for mail?

  4. #4
    Join Date
    Sep 2015
    Location
    Arnhem, NL
    Posts
    252
    I don't see a "server" dns record for server hostname in the DNS settings, is that correct? Also: have you enabled exim=true in custom build options? Your exim version is 2-3 years old! The latest version is 4.89.

  5. #5
    Join Date
    Sep 2017
    Posts
    12
    So the command of zEitEr was working. But then again I ran into an other problem of not finding a file. I re-installed the server again and this time I installed Let's Encrypt on the host BEFORE I installed in on the domain. No problems this time around.

    I checked my e-mail again on https://www.checktls.com/perl/live/TestReceiver.pl and it was complaining about:
    Code:
    [000.993]       Cert Hostname DOES NOT VERIFY (mail.poisonmichael.com != server.poisonmichael.com | DNS:server.poisonmichael.com)
    [000.993]       So email is encrypted but the host is not verified
    I found a thread and tried it:
    Code:
    # vi /usr/local/directadmin/conf/ca.san_config
    Add: ", DNS:mail.poisonmichael.com" at the end of the line that start with: subjectAltName
    ./letsencrypt.sh request server.poisonmichael.com 4096
    And this was working fine! I tried the test on checktls.com and no more problems.

    However, when I'm trying to add my e-mail account on Thunderbird it keeps telling me: "Thunderbird failed to find the settings for your email account." Something I had since the beginning.

    Screenshot: http://prntscr.com/gvohky

    I've tried it also by changing it to STARTTLS. (These were the automatically detected settings: http://prntscr.com/gvoh8k)

    Also on Opera Mail, I can add my account with SSL options selected but when I try to send a mail it does nothing. It stays in the outbox folder. Receiving mails is not a problem.

    And the strange thing is. When I try Windows 10 Mail with SSL options selected it sends mails without a problem.

    vi /var/log/maillog:
    Code:
    2017-10-10 16:58:57 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=copier@server.poisonmichael.com)
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:04:48 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:05:28 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=newsletter@server.poisonmichael.com)
    2017-10-10 17:12:10 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=inventory@server.poisonmichael.com)
    2017-10-10 17:14:08 login authenticator failed for (User) [37.49.224.201]: 535 Incorrect authentication data (set_id=postmaster)
    2017-10-10 17:18:52 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=general@server.poisonmichael.com)
    2017-10-10 17:25:32 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=guest@server.poisonmichael.com)
    2017-10-10 17:32:06 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=sales01@server.poisonmichael.com)
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:32:51 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "EHLO we-guess.mozilla.org" H=78-23-81-55.access.telenet.be [78.23.81.55] next input="QUIT\r\n"
    2017-10-10 17:38:45 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=scan@server.poisonmichael.com)
    2017-10-10 17:39:01 1e1wcX-00025Y-5T <= diradmin@server.poisonmichael.com U=diradmin P=local S=1000 T="New Message: Brute-Force Attack detected in service log from IP(s) 218.65.30.251 on User(s) root" from <diradmin@server.poisonmichael.com> for admin@directadmin.transip.us
    2017-10-10 17:39:01 1e1wcX-00025Y-5T ** admin@directadmin.transip.us F=<diradmin@server.poisonmichael.com>: Unrouteable address
    2017-10-10 17:39:01 1e1wcX-00025c-7i <= <> R=1e1wcX-00025Y-5T U=mail P=local S=2305 T="Mail delivery failed: returning message to sender" from <> for diradmin@server.poisonmichael.com
    2017-10-10 17:39:01 1e1wcX-00025c-7i => :blackhole: <diradmin@server.poisonmichael.com> R=system_aliases
    2017-10-10 17:39:01 1e1wcX-00025c-7i Completed
    2017-10-10 17:39:01 1e1wcX-00025Y-5T Completed
    2017-10-10 17:45:24 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=scanner@server.poisonmichael.com)
    2017-10-10 17:49:25 plain authenticator failed for (avdlhckueo) [185.110.241.27]: 535 Incorrect authentication data (set_id=spam@magentoexpress.nl)
    2017-10-10 17:49:25 login authenticator failed for (avdlhckueo) [185.110.241.27]: 535 Incorrect authentication data (set_id=spam@magentoexpress.nl)
    2017-10-10 17:51:54 login authenticator failed for (User) [191.96.249.63]: 535 Incorrect authentication data (set_id=sa@server.poisonmichael.com)
    SMTP protocol synchronization error? Hmm on Stack Overflow I found following:

    Judging from the error log entry, your mail client 10.7.2.137 is trying to establish a secure (TLS) connection but your Exim server is not expecting it.

    Most probably, TLS is not configured properly in your Exim configuration file. You can refer to http://www.exim.org/exim-html-curren...ng_tlsssl.html for tutorial.

    The solution is, therefore, to edit your Exim configuration file, making sure TLS certificates are defined and tls_advertise_hosts is set; and then restart Exim.

    I feel like this is a simple fix somehow?

    Kr
    Michael

  6. #6
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,386
    Missing break lines? Missing final break line?

    Via file editor I add to /usr/local/directadmin/conf/directadmin.conf
    Missing enable_ssl_sni=1 in directadmin.conf ?

    If not... then ready to provide more details and debug ?

    Code:
    ./build options
    ?
    Code:
    ./build version | grep -i installed
    ?
    Code:
    /usr/local/directadmin/directadmin c | grep sni
    ?
    Code:
    grep ^tls_ /etc/exim.variables.conf
    ?
    Code:
    cat /etc/virtual/snidomains
    ?
    Code:
    ls -la /etc/dovecot/conf/sni/
    ?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  7. #7
    Join Date
    Sep 2017
    Posts
    12
    enable_ssl_sni=1 was not there I've added it but same result

    And there is a line break at the end (had this problem before )

    ./build options
    Code:
    Apache: 2.4.28
    mod_ruid2: 0.9.8
    ModSecurity: no
    Dovecot: 2.2.32
    Dovecot configuration: no
    AWstats: no
    Exim: 4.89
    exim.conf update: no
    BlockCracking: no
    Easy Spam Fighter: no
    SpamAssassin: 3.4.1
    SpamAssassin rule updates: daily
    ClamAV: no
    MySQL: no
    MySQL backup: yes
    MySQL backup directory: /usr/local/directadmin/custombuild/mysql_backups
    MySQL compress backups: no
    PHP (default): 7.1 as mod_php
    phpMyAdmin: 4.7.4-all-languages
    ProFTPD: no
    Pure-FTPd: 1.0.46
    RoundCube webmail: 1.3.1
    Replace "php.ini" with './build all' and './build php_ini': no
    Auto updates/notifications: no
    Run "clean" every time: yes
    Run "clean_old_webapps" every time: yes
    Run "clean_old_tarballs" every time: yes
    Show texts in bold: yes
    SquirrelMail: no
    Zend Guard Loader: no
    ionCube loader: no
    Suhosin: no
    ./build version | grep -i installed
    Code:
    [root@server custombuild]# ./build version | grep -i installed
    [root@server custombuild]# ./build version
    2.0.0 (rev: 1734)
    /usr/local/directadmin/directadmin c | grep sni
    Code:
    enable_ssl_sni=1
    mail_sni=1
    grep ^tls_ /etc/exim.variables.conf
    Code:
    grep: /etc/exim.variables.conf: No such file or directory
    
    [root@server etc]# ls
    abrt                     DIR_COLORS               GREP_COLORS    localtime                 opt                     rc.d            sudo-ldap.conf
    adjtime                  DIR_COLORS.256color      groff          login.defs                os-release              rc.local        sysconfig
    aliases                  DIR_COLORS.lightbgcolor  group          logrotate.conf            pam.d                   rdma            sysctl.conf
    aliases.db               dnsmasq.conf             group-         logrotate.d               passwd                  redhat-release  sysctl.d
    alternatives             dnsmasq.d                grub2.cfg      lsm                       passwd-                 resolv.conf     systemd
    anacrontab               dovecot                  grub.d         lvm                       pinforc                 rndc.key        system_filter.exim
    asound.conf              dovecot.conf             gshadow        machine-id                pkcs11                  rpc             system-release
    at.deny                  dovecot.conf.old         gshadow-       magic                     pki                     rpm             system-release-cpe
    audisp                   dracut.conf              gss            mail                      plymouth                rsyncd.conf     tcsd.conf
    audit                    dracut.conf.d            host.conf      mailcap                   pm                      rsyslog.conf    terminfo
    avahi                    e2fsck.conf              hostname       mail.rc                   polkit-1                rsyslog.d       timezone
    bash_completion.d        environment              hosts          makedumpfile.conf.sample  popt.d                  rwtab           tmpfiles.d
    bashrc                   ethertypes               hosts.allow    man_db.conf               ppp                     rwtab.d         trusted-key.key
    binfmt.d                 exim.cert                hosts.deny     mime.types                prelink.conf.d          sasl2           tuned
    centos-release           exim.conf                hostsE         mke2fs.conf               printcap                scl             udev
    centos-release-upstream  exim.conf.orig           hosts.tmp      modprobe.d                profile                 securetty       updatedb.conf
    chkconfig.d              exim.conf.temp           httpd          modules-load.d            profile.d               security        usb_modeswitch.conf
    chrony.conf              exim.key                 init.d         motd                      proftpd.conf            selinux         usb_modeswitch.d
    chrony.keys              exim.pl                  inittab        mtab                      proftpd.conf.back       services        vconsole.conf
    cifs-utils               exim.pl.temp             inputrc        my.cnf                    proftpd.passwd          sestatus.conf   vimrc
    cron.d                   exim.spamassassin.conf   iproute2       my.cnf.d                  proftpd.vhosts.conf     setuptool.d     virc
    cron.daily               exports                  issue          my.cnf.rpmsave            protocols               shadow          virtual
    cron.deny                favicon.png              issue.net      named                     pure-ftpd.conf          shadow-         wgetrc
    cron.hourly              filesystems              kdump.conf     named.conf                pure-ftpd-dhparams.pem  shells          wpa_supplicant
    cron.monthly             firewalld                kernel         named.iscdlv.key          pureftpd.pdb            skel            X11
    crontab                  fonts                    krb5.conf      named.rfc1912.zones       pure-ftpd.pem           smartmontools   xdg
    cron.weekly              fprintd.conf             ld.so.cache    named.root.key            python                  sos.conf        xinetd.conf
    crypttab                 fstab                    ld.so.conf     nanorc                    rc0.d                   ssh             xinetd.d
    csh.cshrc                fstabE                   ld.so.conf.d   NetworkManager            rc1.d                   ssl             yum
    csh.login                ftpusers                 libaudit.conf  networks                  rc2.d                   statetab        yum.conf
    dbus-1                   gcrypt                   libnl          nsswitch.conf             rc3.d                   statetab.d      yum.repos.d
    default                  gdbinit                  libreport      nsswitch.conf.bak         rc4.d                   sudo.conf
    depmod.d                 gdbinit.d                libuser.conf   ntp                       rc5.d                   sudoers
    dhcp                     gnupg                    locale.conf    openldap                  rc6.d                   sudoers.d
    cat /etc/virtual/snidomains
    Code:
    [root@server etc]# cat /etc/virtual/snidomains
    cat: /etc/virtual/snidomains: No such file or directory
    
    [root@server etc]# cd virtual
    [root@server virtual]# ls
    bad_sender_hosts     blacklist_senders       domains       limit_unknown      pophosts         skip_rbl_domains  user_limit         whitelist_hosts
    bad_sender_hosts_ip  directadmin.transip.us  limit         majordomo          pophosts_user    usage             whitelist_domains  whitelist_hosts_ip
    blacklist_domains    domainowners            limit.rpmnew  poisonmichael.com  skip_av_domains  use_rbl_domains   whitelist_from     whitelist_senders
    ls -la /etc/dovecot/conf/sni/
    Code:
    [root@server virtual]# ls -la /etc/dovecot/conf/sni/
    ls: cannot access /etc/dovecot/conf/sni/: No such file or directory
    
    
    [root@server virtual]# cd /etc/dovecot
    [root@server dovecot]# ls
    conf  conf.d  dovecot.conf  README
    [root@server dovecot]# cd conf
    [root@server conf]# ls
    imap_mail_plugins.conf  limits.conf  lmtp_mail_plugins.conf            mail_plugins.conf  ssl.conf
    ip.conf                 lmtp.conf    mail_max_userip_connections.conf  protocols.conf
    I hope this helps?

    Kr
    Michael

  8. #8
    Join Date
    Aug 2006
    Location
    LT, EU
    Posts
    6,802
    Please make sure the hostname is in /etc/virtual/domains, but not in ​/etc/virtual/domainowners.
    Martynas Bendorius
    MB Martynas IT. Professional server management company. Official DirectAdmin, CloudLinux, LiteSpeed and Comodo partners.

  9. #9
    Join Date
    Apr 2016
    Posts
    16
    But how to generate a Let's Encrypt SSL certificate for a hostname that does not have a website? I want my mail users to connect to their own pop3.domain.com hostname for receiving mail. But when I generate a LE certificate the "pop3" hostname gives an error because it cannot be validated.

    My certificates work fine for the ones that do generate. I can test this at https://certlogik.com/ssl-checker/ by entering "www.domain.com:995" in the test field. But "pop3.domain.com:995" fails because that name is not on the certificate.

    [edit] As a workaround I have created a web-subdomain for the pop3 hostname and generated the certificate again. Now my pop3 users do get a valid certificate.
    Last edited by Freddy; 10-12-2017 at 03:40 AM. Reason: Found workaround

  10. #10
    Join Date
    Apr 2009
    Posts
    2,043
    @Freddy, Are you talking about the server hostname? If so, just do:

    Code:
    cd /usr/local/directadmin/scripts
    ./letsencrypt.sh request server.hostname.com 4096

  11. #11
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,386
    Michael,

    Quote Originally Posted by LauwereysM View Post
    I hope this helps?

    Kr
    Michael

    Run this:

    Code:
    service directadmin restart
    
    cd /usr/local/directadmin/custombuild
    ./build clean
    ./build update
    ./build set eximconf yes
    ./build set eximconf_release 4.5
    ./build set dovecot_conf yes
    ./build exim_conf
    ./build dovecot_conf
    
    echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  12. #12
    Join Date
    Apr 2016
    Posts
    16
    @ditto, No, the server hostname is not a problem. It's a customer domain name. In theory, this should work for all customer domain names.

  13. #13
    Join Date
    Apr 2009
    Posts
    2,043
    I understand. But you mention they need a website to get Let's Encrypt ssl certificate, but that is not needed if you have letsencrypt=1 in directadmin.conf (that is the recommended setting). All that is needed is to add an A record for the domain or subdomain, both with and without www. You do not need to create a "web-subdomain".
    Last edited by ditto; 10-13-2017 at 12:22 AM.

  14. #14
    Join Date
    Sep 2017
    Posts
    12
    Quote Originally Posted by zEitEr View Post
    Run this:

    Code:
    service directadmin restart
    
    cd /usr/local/directadmin/custombuild
    ./build clean
    ./build update
    ./build set eximconf yes
    ./build set eximconf_release 4.5
    ./build set dovecot_conf yes
    ./build exim_conf
    ./build dovecot_conf
    
    echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
    Executed that but still facing the same problem. Maybe it's something DNS related?

    Exim log:
    Code:
    2017-10-13 17:04:28 H=166.62.124.177.static.horizonstelecom.com.br (server.poisonmichael.com) [177.124.62.166] rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]
    My reversed DNS is set to server.poisonmichael.com

    DNS:
    Code:
    ftp	A	77.72.145.219	
    mail	A	77.72.145.219	
    ns1.poisonmichael.com.	A	77.72.145.219	
    ns2.poisonmichael.com.	A	77.72.145.219	
    poisonmichael.com.	A	77.72.145.219	
    pop	A	77.72.145.219	
    server	A	77.72.145.219	
    smtp	A	77.72.145.219	
    www	A	77.72.145.219	
    poisonmichael.com.	NS	ns1.poisonmichael.com.	
    poisonmichael.com.	NS	ns2.poisonmichael.com.	
    poisonmichael.com.	MX	10 mail	
    poisonmichael.com.	TXT	"v=spf1 a mx ip4:77.72.145.219 ~all"
    Kr,
    Michael

  15. #15
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,386
    Michael,

    The error:

    Code:
    rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]
    hardly has anything to do with DNS.

    You should not use the same hostname on 177.124.62.166 if you have it on 77.72.145.219. The hostnames should differ, e.g.:


    server.poisonmichael.com and server2.poisonmichael.com
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  16. #16
    Join Date
    Sep 2017
    Posts
    12
    Quote Originally Posted by zEitEr View Post
    Michael,

    The error:

    Code:
    rejected EHLO or HELO server.poisonmichael.com: Bad HELO - Host impersonating hostname [server.poisonmichael.com]
    hardly has anything to do with DNS.

    You should not use the same hostname on 177.124.62.166 if you have it on 77.72.145.219. The hostnames should differ, e.g.:


    server.poisonmichael.com and server2.poisonmichael.com
    I don't even know where that IP (177.124.62.166) comes from. I just have one VPS (77.72.145.219) that uses poisonmichael.com. Would the "rejected EHLO" error be the main cause I can't send e-mails? Or is there an other log I can check?

    Kr
    Michael

  17. #17
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,386
    If the IP 177.124.62.166 is not that you use to connect to your server then you should ignore it for at least now. It's not related to your issue.

    So to recap...

    - a cert for main domain valid - checked here:
    https://ssl-tools.net/mailservers/poisonmichael.com
    - a cert for hostname is valid too - checked here: https://ssl-tools.net/mailservers/se...sonmichael.com

    So what is not working now? What error do you have on a client side?
    With regards, Alex.

    Professional Server Management for web hosting companies and individuals
    Hourly Support, Disaster Recovery, Server Hardening, Monthly Subscription
    Directadmin installation and optimization

    Click here if you need a Linux Admin

  18. #18
    Join Date
    Sep 2017
    Posts
    12
    Quote Originally Posted by zEitEr View Post
    So what is not working now? What error do you have on a client side?
    So on Thunderbird:
    Adding new e-mail address: michael@poisonmichael.com

    It automatically searches for the settings and comes up with:
    Incoming: IMAP, mail.poisonmichael.com, STARTTLS
    Outgoing: SMTP, smtp.poisonmichael.com, No Encryption
    Username: michael

    It should use some sort of security so I manually change it to:

    Incoming: IMAP, mail.poisonmichael.com, port 993, SSL/TLS, Normal password
    Outgoing: SMTP, mail.poisonmichael.com, port 465, SSL/TLS, Normal password
    Username: (in and outgoing) michael@poisonmichael.com

    When I test this config Thunderbird tells me: "Thunderbird failed to find the settings for your email account."

    On Opera Mail:

    I add the e-mail and set:

    Incoming: mail.poisonmichael.com
    Outgoing: mail.poisonmichael.com
    And both set to "Use secure connection (TLS)"

    When I try to send an e-mail it shows connecting at the bottom and then shows nothing with the mail still in the outbox, no message.

    On Windows Mail however it does send the e-mail.

    I'm not really sure what is going on anymore :P I tried so many things now.

    Kr,
    Michael

  19. #19
    Join Date
    Sep 2017
    Posts
    12
    Ok so I figured out what the problem was. The weird thing was that Windows Mail was working, but Thunderbird and Opera Mail wasn't. After some looking around it seemed that on:

    Thunderbird:
    In the "Account Settings" it has a section called "Outgoing Server (SMTP)" and if you did a lot of testing with different e-mail accounts it stores them all in there. When I set the outgoing server to mail.domain.com:587 instead of mail.domain.com | 587 | STARTTLS | Normal password it was letting me use the account. Then in the "Outgoing Server (SMTP)" section I edited the default server with the correct login, and everything was working.

    Opera Mail:
    This was pretty easy, if you enabled TLS when creating your account in Opera it uses port 25 as default. For a lot of VPN hosts this port is blocked due to spam so I had to manually set it to 587 and it worked.

    I'll post a reply with all the steps I did to get the mail up and running for those who are struggling with this setup.

    Thanks to all of you for the help. Great community!

    Kr,
    Michael

  20. #20
    Join Date
    Sep 2017
    Posts
    12
    These are the steps I took to get everything to work:

    Note that all of the commands are executed via ROOT. Use su root to login. And it's done on a freshly installed server.



    Updates
    Visit the server via IP:2222

    Do the latest update via Licensing / Updates > Update DirectAdmin.
    You will get a message once it’s finished.



    CustomBuild 2.0
    Install CustomBuild 2.0 via the Plugin Manager.
    URL: http://www.custombuild.eu/plugin/custombuild.tar.gz

    Enter the Admin’s password.

    Add Plugin.

    You will now see a CustomBuild 2.0 option under Extra Features.

    Note: Do not do the updates yet. We will change some options.



    Administrator Settings
    Here we have to make sure the nameservers are set correctly. Mostly like:
    ns1.domain.com
    ns2.domain.com

    Not: ns1.server.domain.com

    Save these changes.



    CustomBuild 2.0
    Go to Edit Options.
    Choose a PHP version you want.

    Mail Settings:
    exim > yes
    eximconf > yes
    eximconf_release > 4.5 (or higher)
    sa_update > daily
    dovecot > yes
    dovecot_conf > yes

    Save the changes.

    Update Software > Update all

    Note: This can take a while.



    Domain
    Domain Administration
    Add Another Domain
    Domain: domain.com
    Secure SSL



    DNS
    Go to DNS Management

    Add:
    server A > record > Server IP
    domain.com > PTR > v=DMARC1; p=none

    For testing you can place TTL to 60 (1 min)



    Enable Let’s Encrypt
    First make sure server.domain.com (your hostname) is reachable and shows: “Apache is functioning normally”.

    Under the Admin Level go to File Editor.

    Select a file to edit: /usr/local/directadmin/conf/directadmin.conf

    Show File

    Before you can edit this file you have to unlock it by entering the ROOT password and pressing the Authenticate button.

    Once you’ve done that go to the file again and add:
    mail_sni=1
    letsencrypt=1

    Note: Make sure there is a space on the last line!

    Save the file.
    Restart Directadmin via Service Monitor.

    Add the /.well-known Alias:
    Code:
    cd /usr/local/directadmin/custombuild
    ./build rewrite_confs
    If you now check SSL Certificates under the User Level section it should show the option:
    Free & automatic certificate from Let's Encrypt. We are not going to use this yet.



    Create a certificate for the host
    We are now going to set a certificate for our host (server.domain.com).

    Code:
    cd /usr/local/directadmin/scripts
    ./letsencrypt.sh request server.domain.com 4096
    To not get the error below you have to add the mail server to the ca.san_config file.

    Error:
    Code:
    Cert Hostname DOES NOT VERIFY (mail.domain.com != server.domain.com | DNS:server.domain.com)
    So email is encrypted but the host is not verified
    Edit the ca.san_config file.

    Code:
    vi /usr/local/directadmin/conf/ca.san_config
    Add: ", DNS:mail.domain.com" at the end of the line that start with: subjectAltName (Use ECS > :wq to save)

    Then create the certificate again.

    Code:
    cd /usr/local/directadmin/scripts
    ./letsencrypt.sh request server.domain.com 4096
    Note: it will show “Getting challenge for mail.domain.com from acme-server…”



    Create an email address
    Under the User Level section go to E-Mail Accounts and create a new email address.

    You can test your certificate with: https://www.checktls.com/perl/live/TestReceiver.pl

    Note: Everything should be OK (green)



    Install DKIM
    Download:

    Code:
    cd /etc
    wget -O exim.dkim.conf http://files.directadmin.com/services/exim.dkim.conf
    Restart exim.

    Enable it by adding dkim=1 to the /usr/local/directadmin/conf/directadmin.conf file.

    Restart Directadmin.

    At this point, any domain created after the change should have the DKIM keys created, and dns zones updated. For existing domains, you can either enable it individually for each domain, one-by-one:

    Code:
    cd /usr/local/directadmin/scripts
    ./dkim_create.sh domain.com
    Or you can enable it for all of your domains like this:

    Code:
    echo "action=rewrite&value=dkim" >> /usr/local/directadmin/data/task.queue
    Restart your server.

    You can test your mail with: http://www.mail-tester.com



    Mail clients
    Thunderbird:
    When adding your account use the SMTP mailserver mail.domain.com:587
    When your account is added go to the settings and edit the Outgoing Server (SMTP) option with the correct login details.

    Opera Mail:
    When adding your account with TLS option make sure in the Account settings it's using port 587 and not port 25 (default)



    I hope this helps some people out.

    Kind regards,
    Michael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •