Per Domain Certificate for IMAP/POP3/SMTP

enginaar

enginaar

Verified User
Joined
May 20, 2004
Messages
158
Location
Turkiye
Hi,

I'm having trouble using mail_sni feature. I believe I've passed all the requirements described here https://www.directadmin.com/features.php?id=2019 but when I test the certificate on mail services I get the server's certificate instead of mail.domain.com.

Steps:
1. Checked the mail sni setting in directadmin.conf
Code: 
# ./directadmin c|grep mail_sni

mail_sni=1

2. Checked custombuild settings for Exim and Dovecot
Code: 
exim=yes
eximconf=yes
eximconf_release=4.5
dovecot=yes
dovecot_conf=yes

3. Ran build update
Code: 
# ./build update

4. Rebuilt exim and exim_conf
Code: 
# ./build exim
# ./build exim_conf

4. Rebuilt dovecot and dovecot_conf
Code: 
# ./build dovecot
# ./build dovecot_conf

5. Checked /etc/virtual/snidomains
Code: 
# cat /etc/virtual/snidomains
ftp.ickale.net:ickale:ickale.net
ickale.net:ickale:ickale.net
mail.ickale.net:ickale:ickale.net
www.ickale.net:ickale:ickale.net

6. Checked sni config file for the domain name
Code: 
# cat /etc/dovecot/conf/sni/ickale.net.conf
local_name ftp.ickale.net {
  ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
  ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name ickale.net {
  ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
  ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name mail.ickale.net {
  ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
  ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}
local_name www.ickale.net {
  ssl_cert = </usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined
  ssl_key = </usr/local/directadmin/data/users/ickale/domains/ickale.net.key
}

7. Rewrote dovecot config for the domain
Code: 
# echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
# ./dataskq d800
Debug mode. Level 800

root priv set: uid:0 gid:0 euid:0 egid:0
pidfile written
starting queue
dataskq: command: action=rewrite&value=mail_sni
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.key) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.key: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::ensure_sni_read(/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined) has permissions:
/usr/local/directadmin/data/users/ickale/domains/ickale.net.cert.combined: 'diradmin:mail' -rw-r-----, running as root:root
Ssl::dovecot_sni_reload: reloading dovecot
done queue

8. Reissued certificate for ickale.net, ftp.ickale.net, mail.ickale.net, www.ickale.net
Code: 
Certificate and Key Saved.

Details

Requesting new certificate order...
Processing authorization for ftp.ickale.net...
Challenge is valid.
Processing authorization for ickale.net...
Challenge is valid.
Processing authorization for mail.ickale.net...
Challenge is valid.
Processing authorization for www.ickale.net...
Challenge is valid.
Generating 4096 bit RSA key for ickale.net...
openssl genrsa 4096 > "/usr/local/directadmin/data/users/ickale/domains/ickale.net.key.new"
Generating RSA private key, 4096 bit long modulus
.........................++
.....................................................................................................................................++
e is 65537 (0x10001)
Checking Certificate Private key match... Match!
Certificate for ickale.net has been created successfully!

9. Tested certificates using openssl
Code: 
# openssl s_client -showcerts -connect mail.ickale.net:993
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Code: 
# openssl s_client -showcerts -connect mail.ickale.net:995
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Code: 
# openssl s_client -showcerts -connect mail.ickale.net:465
Server certificate
subject=/CN=ickale.server34.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Also getting an error in my email clients for certificate verification. Not sure what I'm doing wrong here but cannot get the email services work with a certificate that's issued for mail.ickale.net domain name. I'd be grateful if you could help.

Thanks,
Engin
 
Your openssl tests are wrong :) You’re missing domain name specified there (servername parameter).
 
smtalk said:
Your openssl tests are wrong :) You’re missing domain name specified there (servername parameter).
Click to expand...

Hi smtalk,

Thanks for replying on a Sunday morning. I'm sorry, I don't understand what you mean by I'm missing domain name specified there and I don't know what servername parameter is? (couldn't find anything in man openssl)

I've used the commands here (https://support.plesk.com/hc/en-us/...-works-and-a-proper-SSL-certificate-is-in-use) because I thought it'd help to have some output for the forum; but the actual problem I had was on my email clients throwing not valid errors both on my computer and phone.

I've compared everything against other servers that this feature is working (I wasn't aware of any of the configuration above because everything worked out of the box) and found out the only difference is ssl_redirect_host setting I'm using in this box. Strangely, the problem went away when I removed the line from directadmin.conf and re-applied all the steps above.

If you could show me how to test correctly with openssl, I wanna break and test this again to understand what actually fixed it, because as I hope you'd understand fixing how I use openssl command doesn't fix the issue I'm having on the email clients and I think email clients are slow to recognize changes for some reason.

Thanks again,
Engin
 
It's possible it was a service restart that fixed it. Out of the box, after you add your certificate, the remaining default DA settings should work fine, at least that has been my experience. Is this a new domain on an older DA installation?

This is one site I use, but it caches for a long time, so I often need to switch ports on the same hostname if I did a check recently:

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.
www.sslshopper.com www.sslshopper.com

This is another tester that will check everything that it can find, starting with your base domain name. It will check certificates, follow MX records, and you can control the caching:

 
Last edited:
CanadaGuy said:
It's possible it was a service restart that fixed it. Out of the box, after you add your certificate, the remaining default DA settings should work fine, at least that has been my experience. Is this a new domain on an older DA installation?

This is one site I use, but it caches for a long time, so I often need to switch ports on the same hostname if I did a check recently:

SSL Checker

Use our fast SSL Checker will help you troubleshoot common SSL Certificate installation problems on your server including verifying that the correct certificate is installed, valid, and properly trusted.
www.sslshopper.com www.sslshopper.com

This is another tester that will check everything that it can find, starting with your base domain name. It will check certificates, follow MX records, and you can control the caching:

Click to expand...

Thanks for the suggestions. The account is migrated from another DA server using admin backup/restore. This is a fresh install on a new server. SSL checker seem useful but the reason I'm using openssl is to prevent from false negatives due to caching. I don't think switching ports would work for me since my certificates worked on HTTP but not on IMAP, POP3 or SMTP so I'm specifically looking to test the same port multiple times in a short time frame. If my understanding is correct, when testing HTTP the certificate is served by apache/nginx, and when testing POP3/IMAP it's served by Dovecot, and SMTP by Exim. I'm trying to test the configuration on specific services.

I've restarted services several times, rebuild Exim and Dovecot, rewrote configurations for both which also restart services. Also restarted directadmin after rewriting mail_sni configuration which doesn't seem incorrect.

Thanks
 
enginaar said:
Hi smtalk,

Thanks for replying on a Sunday morning. I'm sorry, I don't understand what you mean by I'm missing domain name specified there and I don't know what servername parameter is? (couldn't find anything in man openssl)

I've used the commands here (https://support.plesk.com/hc/en-us/...-works-and-a-proper-SSL-certificate-is-in-use) because I thought it'd help to have some output for the forum; but the actual problem I had was on my email clients throwing not valid errors both on my computer and phone.

I've compared everything against other servers that this feature is working (I wasn't aware of any of the configuration above because everything worked out of the box) and found out the only difference is ssl_redirect_host setting I'm using in this box. Strangely, the problem went away when I removed the line from directadmin.conf and re-applied all the steps above.

If you could show me how to test correctly with openssl, I wanna break and test this again to understand what actually fixed it, because as I hope you'd understand fixing how I use openssl command doesn't fix the issue I'm having on the email clients and I think email clients are slow to recognize changes for some reason.

Thanks again,
Engin
Click to expand...

Domains with SSL for IMAP and SMTP

Hi all I have tried on and off for a few weeks to try and get IMAP / POP3 and SMTP to work with the Lets Encrypt SSL's which work just fine for HTTP(s) I have followed this - https://www.directadmin.com/features.php?id=2019 on two different systems with fresh domains (one system is debian...
forum.directadmin.com forum.directadmin.com
 
smtalk said:

Domains with SSL for IMAP and SMTP

Hi all I have tried on and off for a few weeks to try and get IMAP / POP3 and SMTP to work with the Lets Encrypt SSL's which work just fine for HTTP(s) I have followed this - https://www.directadmin.com/features.php?id=2019 on two different systems with fresh domains (one system is debian...
forum.directadmin.com forum.directadmin.com
Click to expand...

Quick question, output shows ickale.net. Does this mean there is no need to issue a certificate for mail.ickale.net?

subject=/CN=ickale.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 
enginaar said:
Quick question, output shows ickale.net. Does this mean there is no need to issue a certificate for mail.ickale.net?

subject=/CN=ickale.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Click to expand...

CN is the common name for the cert. I think there is only one allowed. Multiple names are supported through SAN (subject alternate name?). To explicitly dump those, you can also do this:

Code: 
openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

got it from here:

stackoverflow.com

How to Check Subject Alternative Names for a SSL/TLS Certificate?

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert? Using, for instance, the following command I can get many info but not all the SANs: openssl s_client -con...
stackoverflow.com stackoverflow.com

Code: 
$ openssl s_client -connect mail.ickale.net:993 | openssl x509 -noout -text | grep DNS:
                DNS:ftp.ickale.net, DNS:ickale.net, DNS:mail.ickale.net, DNS:www.ickale.net
 
CanadaGuy said:
CN is the common name for the cert. I think there is only one allowed. Multiple names are supported through SAN (subject alternate name?). To explicitly dump those, you can also do this:

Code: 
openssl s_client -connect website.com:443 | openssl x509 -noout -text | grep DNS:

got it from here:

stackoverflow.com

How to Check Subject Alternative Names for a SSL/TLS Certificate?

Is there a way to programmatically check the Subject Alternative Names of a SAN SSL cert? Using, for instance, the following command I can get many info but not all the SANs: openssl s_client -con...
stackoverflow.com stackoverflow.com

Code: 
$ openssl s_client -connect mail.ickale.net:993 | openssl x509 -noout -text | grep DNS:
                DNS:ftp.ickale.net, DNS:ickale.net, DNS:mail.ickale.net, DNS:www.ickale.net
Click to expand...

Uh, I see. Yeah, I can verify all other sub domains with this. Thank you. This is very helpful.
 
You must log in or register to reply here.
Back
Top