Hi,
I'm having trouble using mail_sni feature. I believe I've passed all the requirements described here https://www.directadmin.com/features.php?id=2019 but when I test the certificate on mail services I get the server's certificate instead of mail.domain.com.
Steps:
1. Checked the mail sni setting in directadmin.conf
2. Checked custombuild settings for Exim and Dovecot
3. Ran build update
4. Rebuilt exim and exim_conf
4. Rebuilt dovecot and dovecot_conf
5. Checked /etc/virtual/snidomains
6. Checked sni config file for the domain name
7. Rewrote dovecot config for the domain
8. Reissued certificate for ickale.net, ftp.ickale.net, mail.ickale.net, www.ickale.net
9. Tested certificates using openssl
Also getting an error in my email clients for certificate verification. Not sure what I'm doing wrong here but cannot get the email services work with a certificate that's issued for mail.ickale.net domain name. I'd be grateful if you could help.
Thanks,
Engin
I'm having trouble using mail_sni feature. I believe I've passed all the requirements described here https://www.directadmin.com/features.php?id=2019 but when I test the certificate on mail services I get the server's certificate instead of mail.domain.com.
Steps:
1. Checked the mail sni setting in directadmin.conf
Code:
# ./directadmin c|grep mail_sni
mail_sni=1
2. Checked custombuild settings for Exim and Dovecot
Code:
exim=yes
eximconf=yes
eximconf_release=4.5
dovecot=yes
dovecot_conf=yes
3. Ran build update
Code:
# ./build update
4. Rebuilt exim and exim_conf
Code:
# ./build exim
# ./build exim_conf
4. Rebuilt dovecot and dovecot_conf
Code:
# ./build dovecot
# ./build dovecot_conf
5. Checked /etc/virtual/snidomains
Code:
# cat /etc/virtual/snidomains
ftp.ickale.net:ickale:ickale.net
ickale.net:ickale:ickale.net
mail.ickale.net:ickale:ickale.net
www.ickale.net:ickale:ickale.net
6. Checked sni config file for the domain name
Code:
# cat /etc/dovecot/conf/sni/ickale.net.conf
local_name ftp.ickale.net {
ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name ickale.net {
ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name mail.ickale.net {
ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name www.ickale.net {
ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
7. Rewrote dovecot config for the domain
Code:
# echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
# ./dataskq d800
Debug mode. Level 800
root priv set: uid:0 gid:0 euid:0 egid:0
pidfile written
starting queue
dataskq: command: action=rewrite&value=mail_sni
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.key) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.key: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::dovecot_sni_reload: reloading dovecot
done queue
8. Reissued certificate for ickale.net, ftp.ickale.net, mail.ickale.net, www.ickale.net
Code:
Certificate and Key Saved.
Details
Requesting new certificate order...
Processing authorization for ftp.ickale.net...
Challenge is valid.
Processing authorization for ickale.net...
Challenge is valid.
Processing authorization for mail.ickale.net...
Challenge is valid.
Processing authorization for www.ickale.net...
Challenge is valid.
Generating 4096 bit RSA key for ickale.net...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/ickale/domains/ickale.net.key.new"
Generating RSA private key, 4096 bit long modulus
.........................++
.....................................................................................................................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for ickale.net has been created successfully!
9. Tested certificates using openssl
Code:
# openssl s_client -showcerts -connect mail.ickale.net:993
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Code:
# openssl s_client -showcerts -connect mail.ickale.net:995
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Code:
# openssl s_client -showcerts -connect mail.ickale.net:465
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Also getting an error in my email clients for certificate verification. Not sure what I'm doing wrong here but cannot get the email services work with a certificate that's issued for mail.ickale.net domain name. I'd be grateful if you could help.
Thanks,
Engin