LauwereysM
Verified User
- Joined
- Sep 18, 2017
- Messages
- 12
Hello,
So for a while now I've been struggling with setting up secure e-mails. I would like to use Let's Encrypt for that. I have a VPS which will host multiple website for customers. All of them need an e-mail address. What would be the correct way to set this up?
These are the steps I've took:
- Freshly installed server.
- Installed CustomBuild 2.0
- I create a new email: [email protected]
- Via file editor I add to /usr/local/directadmin/conf/directadmin.conf:
- Login as root to vps
- Users > SSL
- Free & automatic certificate from Let's Encrypt
So far so good. Now when I'm trying Thunderbird, Opera Mail, or Windows 10 Mail it doesn't want to work. It never sees the certificate. So from what I red is that the host - in my case server.domain.com needs a certificate as well (not sure if this is also the case for DA 1.52.0?).
I've tried:
https://help.directadmin.com/item.php?id=629
Then I found https://help.directadmin.com/item.php?id=645 but it looks like adding this to the file /usr/local/directadmin/conf/ca.san_config (which doesn't exist) is an "old method"?
Mail log
DNS
So my guess is the first steps I took are ok. But for e-mails to work I have to enable the certificate on the host? Also what settings should I have in CustomBuild? I left everything as default: http://prntscr.com/gv4u50
Kind regards,
Michael
So for a while now I've been struggling with setting up secure e-mails. I would like to use Let's Encrypt for that. I have a VPS which will host multiple website for customers. All of them need an e-mail address. What would be the correct way to set this up?
These are the steps I've took:
- Freshly installed server.
Hostname: server.domain.com
Nameservers: ns1.domain.com; ns2.domain.com
Centos 7
Exim 4.83
dovecot 2.2.32
- Update DA to 1.52.0Nameservers: ns1.domain.com; ns2.domain.com
Centos 7
Exim 4.83
dovecot 2.2.32
- Installed CustomBuild 2.0
11 Updates (CB)
- Via users I add a new domain, enabled SSL, and symbolic link- I create a new email: [email protected]
- Via file editor I add to /usr/local/directadmin/conf/directadmin.conf:
mail_sni=1
letsencrypt=1
- Restart directadminletsencrypt=1
- Login as root to vps
cd /usr/local/directadmin/custombuild
./build rewrite_confs
- Update CB./build rewrite_confs
- Users > SSL
- Free & automatic certificate from Let's Encrypt
Common Name: domain.com
E-Mail: [email protected]
Key Size: 4096
Certificate Type: SHA256
domain.com
mail.domain.com
www.domain.com
Certificate for domain.com has been created successfully!
- Checking https://domain.com and it’s workingE-Mail: [email protected]
Key Size: 4096
Certificate Type: SHA256
domain.com
mail.domain.com
www.domain.com
Certificate for domain.com has been created successfully!
So far so good. Now when I'm trying Thunderbird, Opera Mail, or Windows 10 Mail it doesn't want to work. It never sees the certificate. So from what I red is that the host - in my case server.domain.com needs a certificate as well (not sure if this is also the case for DA 1.52.0?).
Code:
Checking [email protected]:
looking up MX hosts on domain "poisonmichael.com"
mail.poisonmichael.com (preference:10)
Trying TLS on mail.poisonmichael.com[77.72.145.219] (10):
seconds test stage and result
[000.109] Connected to server
[000.423] <-- 220 server.poisonmichael.com ESMTP Exim 4.83 Mon, 09 Oct 2017 13:24:09 +0200
[000.424] We are allowed to connect
[000.424] --> EHLO checktls.com
[000.532] <-- 250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
[000.532] We can use this server
[000.532] TLS is an option on this server
[000.532] --> STARTTLS
[000.648] <-- 220 TLS go ahead
[000.648] STARTTLS command works on this server
[000.874] SSLVersion in use: TLSv1.2
[000.874] Cipher in use: AES128-SHA256
[000.874] Connection converted to SSL
[000.876]
Certificate 1 of 1 in chain:
serialNumber= f7:24:5d:6c:dd:48:bb:07
subject= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
issuer= /C=GB/ST=Someprovince/L=Sometown/O=none/OU=none/CN=localhost
[B][000.876] Cert VALIDATION ERROR(S): self signed certificate
[000.876] So email is encrypted but the recipient domain is not verified
[000.876] Cert Hostname DOES NOT VERIFY (mail.poisonmichael.com != localhost)[/B]
[000.876] So email is encrypted but the host is not verified
[000.876] ~~> EHLO checktls.com
[000.985] <~~ 250-server.poisonmichael.com Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
[000.985] TLS successfully started on this server
[000.985] ~~> MAIL FROM:<[email protected]>
[001.093] <~~ 250 OK
[001.094] Sender is OK
[001.094] ~~> RCPT TO:<[email protected]>
[001.209] <~~ 250 Accepted
[001.210] Recipient OK, email address proofed
[001.210] ~~> QUIT
[001.318] <~~ 221 server.poisonmichael.com closing connection
I've tried:
https://help.directadmin.com/item.php?id=629
Code:
# cd /usr/local/directadmin/scripts
# ./letsencrypt.sh request your.hostname.com 4096
Domain does not exist on the system. Unable to find server.poisonmichael.com in /etc/virtual/domainowners. Exiting...
# cd /etc/virtual/domainowners
bash: cd: /etc/virtual/domainowners: Not a directory
Then I found https://help.directadmin.com/item.php?id=645 but it looks like adding this to the file /usr/local/directadmin/conf/ca.san_config (which doesn't exist) is an "old method"?
Mail log
Code:
2017-10-09 10:48:01 exim 4.83 daemon started: pid=10735, -q1h, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
2017-10-09 10:50:07 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 10:54:45 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 10:59:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 <= [email protected] U=diradmin P=local S=897 T="New Message: DirectAdmin has been updated" from <[email protected]> for [email protected]
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 ** [email protected] F=<[email protected]>: Unrouteable address
2017-10-09 11:02:09 1e1Twv-0002sK-Rz <= <> R=1e1Twv-0002sC-Q2 U=mail P=local S=1789 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-09 11:02:09 1e1Twv-0002sK-Rz => :blackhole: <[email protected]> R=system_aliases
2017-10-09 11:02:09 1e1Twv-0002sK-Rz Completed
2017-10-09 11:02:09 1e1Twv-0002sC-Q2 Completed
2017-10-09 11:03:01 1e1Txl-0002st-KP <= [email protected] U=diradmin P=local S=917 T="New Message: A system issue requires your attention" from <[email protected]> for [email protected]
2017-10-09 11:03:01 1e1Txl-0002st-KP ** [email protected] F=<[email protected]>: Unrouteable address
2017-10-09 11:03:01 1e1Txl-0002sx-Ll <= <> R=1e1Txl-0002st-KP U=mail P=local S=1809 T="Mail delivery failed: returning message to sender" from <> for [email protected]
2017-10-09 11:03:01 1e1Txl-0002sx-Ll => :blackhole: <[email protected]> R=system_aliases
2017-10-09 11:03:01 1e1Txl-0002sx-Ll Completed
2017-10-09 11:03:01 1e1Txl-0002st-KP Completed
2017-10-09 11:04:12 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:08:57 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:13:40 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:18:29 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:22:58 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:27:59 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:33:21 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:38:25 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:39:23 1e1UWx-0001P1-VX <= [email protected] U=diradmin P=local S=1962 T="Your account for poisonmichael.com is now ready for use." from <[email protected]> for [email protected]
2017-10-09 11:39:24 1e1UWx-0001P1-VX => reseller <[email protected]> F=<[email protected]> R=localuser T=local_delivery S=2098
2017-10-09 11:39:24 1e1UWx-0001P1-VX Completed
2017-10-09 11:39:24 1e1UWy-0001P6-09 <= [email protected] U=diradmin P=local S=1989 T="Creator Duplicate: Your account for poisonmichael.com is now ready for use." from <[email protected]> for [email protected]
2017-10-09 11:39:24 1e1UWy-0001P6-09 => admin <[email protected]> F=<[email protected]> R=localuser T=local_delivery S=2129
2017-10-09 11:39:24 1e1UWy-0001P6-09 Completed
2017-10-09 11:43:17 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:48:18 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:53:14 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
2017-10-09 11:58:08 login authenticator failed for four.hosted.by.invps.net (win-e73f2aa0c2n.domain) [46.148.27.6]: 535 Incorrect authentication data ([email protected])
DNS
Code:
Name Type Value
ftp A 77.72.145.219
mail A 77.72.145.219
ns1.poisonmichael.com. A 77.72.145.219
ns2.poisonmichael.com. A 77.72.145.219
poisonmichael.com. A 77.72.145.219
pop A 77.72.145.219
smtp A 77.72.145.219
www A 77.72.145.219
poisonmichael.com. NS ns1.poisonmichael.com.
poisonmichael.com. NS ns2.poisonmichael.com.
poisonmichael.com. MX 10 mail
poisonmichael.com. TXT "v=spf1 a mx ip4:77.72.145.219 ~all"
So my guess is the first steps I took are ok. But for e-mails to work I have to enable the certificate on the host? Also what settings should I have in CustomBuild? I left everything as default: http://prntscr.com/gv4u50
Kind regards,
Michael