Page 4 of 5 FirstFirst ... 2345 LastLast
Results 61 to 80 of 93

Thread: Scripts for Exim SNI with a (Let's Encrypt) user certificate

  1. #61
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    Hi there, you need to use this:
    https://help.directadmin.com/item.php?id=84
    Than you need to ask cp to the Let's Encrypt certificate requests.

    Best regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  2. #62
    Join Date
    Jun 2008
    Posts
    79
    Quote Originally Posted by Vaporizer View Post
    https://www.directadmin.com/features.php?id=1911
    Good news, it seems official support for Exim with SNI will be in the next version and judging by the documentation it is based on my implementation
    THANK YOU!

    I recently added the dovecot feature (didn't noticed that it was pretty new) and I started looking for Exim till I found your post. In this case I will just wait till they implemented the feature Much more convenient then to do it myself.

  3. #63
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    119
    Does anybody knows when DirectAdmin will release this as a supported (non beta) feature?

  4. #64
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    I am already using the Dovecot and Exim one in production, the Exim one from this link: https://www.directadmin.com/features.php?id=1911
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  5. #65
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    119
    You can only enable it, i am missing field where i can put in the certificate or even use Let's Encrypt. Maybe i am missing something?

  6. #66
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    Once it's enable you should have on the bottom of the certificate page (if you are using DA skin or any updated skin) where you can select which certificate is for the mail use.
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  7. #67
    Join Date
    Dec 2005
    Location
    The Netherlands
    Posts
    119
    Weird, i only get select boxes and my web certificate field. Is it not possible to use Let's Encrypt for this? I don't use any custom skin. I guess the enhanced skin is update on every update? Maybe i need to run the beta of DA instead of the latest release.

  8. #68
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    mmh maybe yes, ofc you can use lets encrypt
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  9. #69
    Join Date
    Jun 2017
    Posts
    1
    tanx for sharing this

    طراحی سایت

  10. #70
    Join Date
    Feb 2005
    Location
    The Netherlands
    Posts
    394
    To bad this feature was pushed back another version once again:

    https://www.directadmin.com/features.php?id=1911

  11. #71
    Join Date
    Nov 2014
    Posts
    74

    Smile

    The next version of DirectAdmin (already available in prerelease) will have this feature built in: https://www.directadmin.com/features.php?id=2019
    I've updated the first post with some more information and instructions on how to properly switch to the new built in version.

  12. #72
    Join Date
    Feb 2005
    Location
    The Netherlands
    Posts
    394
    Looks to be live now with the release of 1.52: https://www.directadmin.com/versions.php
    Last edited by tristan; 10-03-2017 at 07:48 AM. Reason: typo

  13. #73
    Join Date
    Jun 2004
    Posts
    330
    I have a directadmin server I installed about a year ago on centos 7. It was an upgrade to a centos 5 or 6 machine. I have only done the yum updates to it. Is there a how too on enabling signed SSL for email? It has many many email accounts and iphones etc complain.

  14. #74
    Join Date
    Feb 2005
    Location
    The Netherlands
    Posts
    394
    I think SNI is already supported on CentOS 6 so you should be good when you're on CentOS 7 also see:

    https://directadmin.com/features.php?id=1100

  15. #75
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    4,183
    There's a howto on the features page if you want it for mail:
    https://www.directadmin.com/features.php?id=2019
    Greetings, Richard.

  16. #76
    Join Date
    Jun 2018
    Posts
    6
    Hi,

    I followed the instructions in here https://www.directadmin.com/features.php?id=2019
    But it still does not work for me.
    The task `echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue` does not add anything to /etc/snidomains/ and/or to /etc/dovecot/conf/sni.


    I don't know if it is related but when I generate a new Let's Encrypt certificate at the DA SSL page, at the end of the log I see this message:

    Cannot find the dovecot_sni.conf template.

    After initial certificate creation in DA SSL page the /etc/snidomains/ was updated with the domain but the /etc/dovecot/conf/sni folder is still empty.

  17. #77
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    Have you restared DirectAdmin after you set mail_sni=1?
    Have you tried to rewrite dovecot configuration? /usr/local/directadmin/custombuild/build dovecot_conf

    Best regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  18. #78
    Join Date
    Jan 2005
    Location
    Pennsylvania, U.S.
    Posts
    26
    Into my 15th year here on/with DA. I rarely post as I am not lazy and am willing to search 100's of posts to find what I need; I do not want to add unnecessary noise. But here I must go, making my first post in probably nine or ten years. I'm sorry to drag up an old thread, but this thread still seems like it is the appropriate place for me to post this.

    I am search/googled whipped and weary. Trying to find my answer here at DA on my issue makes me feel as if I'm like a dog chasing its tail: Old answers that point to new answers that point to older answers that point to newer older answers that point to older older answers, etc, ad nauseum. .

    End of bitch - Let's Begin: I have a current server on which I am running an older version of DA. (As background info - I am not going to update it for a while for My reasons). Three weeks ago, I added a new virgin box, installed with DA 1.55, to which I added three users for testing purposes. DNS is correct for all domains, including mx, PTRs, DKIM, etc. For the most part, all has gone well. Except: Exim and Dovecot. I cannot get exim/dovecot to pull the appropriate certificates for mail for the domains; only the server certificate is being used, whether inbound or outbound.

    Let's Encrypt certificates are installed for all users.

    DA conf contains value of mail_sni=1.

    Files /etc/virtual/snidomains, /etc/virtual/domainowners, and /etc/virtual/domains exist and contain all the proper information, owner/grp is mail, permissions 640 (rw-r).

    Folder /etc/dovecot/conf/sni/ list all the domains (all owned by root, fwiw).

    All user certificate information seems to be in order in each /usr/local/directadmin/data/users/USERNAME/domains/.

    Exim and exim conf are the latest versions.

    My only change to exim.conf was to replace "tls_on_connect_ports = 465" with: tls_on_connect_ports = 465:587

    and to the file /etc/exim.variables.conf.custom, I added these lines:

    Code:
    auth_advertise_hosts = ${if or { {eq {$received_port}{465}} {eq {$received_port}{587}} } {*}{}}
    
    tls_certificate=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}
    
    tls_privatekey=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}message_size_limit=50M
    Even though the DA install was done only three weeks ago, I know I needed to use CB2: /usr/local/directadmin/custombuild/build exim and dovecot confs, which, of course, incorporated my custom variables into /etc/exim.variables.conf .

    Restart exim, restart dovecot. Nothing different.

    I am at my wit's end. I am asking for a simple yet detailed answer -> as of DA 1.55, Just what does it take to get DA's versions of exim/dovecot to make use the domain certificate and NOT the server certificate. It really should not be this hard. What have I missed? What am I missing? And rhetorically speaking, Why isn't this a part of DA?

    Thanks in advance to any of you who help without clutter.

    Mike Brown

  19. #79
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    Hi Mike,

    First thing first, this is part of DA, otherwise you would have to go even more crazy, trust me

    Did you rewrite confs once you enabled mail_sni?

    First thing I would try is this:
    Code:
    sed -i "s/mail_sni=.*/mail_sni=1/" /usr/local/directadmin/conf/directadmin.conf
    service directadmin restart
    /usr/local/directadmin/custombuild/build set dovecot_conf yes
    /usr/local/directadmin/custombuild/build set eximconf_release 4.5
    /usr/local/directadmin/custombuild/build set eximconf yes
    /usr/local/directadmin/custombuild/build set blockcracking yes # THIS MIGHT BE NOT REALLY REQUIRED
    /usr/local/directadmin/custombuild/build set easy_spam_fighter yes # THIS MIGHT BE NOT REALLY REQUIRED
    /usr/local/directadmin/custombuild/build dovecot_conf
    /usr/local/directadmin/custombuild/build exim_conf
    /usr/local/directadmin/custombuild/build rewrite_confs
    I know is not a simple and detailed answer, but really for those thing unless you have a crystal ball.. it's quite impossible to know the problem without log into the server

    One thing actually, make sure that the user's level domain (for each of those 3 users) have the SSL option enabled, I don't mean the user' account, but the domain configuration.

    Let me know

    Andrea
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  20. #80
    Join Date
    Jan 2005
    Location
    Pennsylvania, U.S.
    Posts
    26
    Wow. That was fast.

    Thanks, Andrea.

    :::::: am looking for salt and pepper to place upon the crow I am eating :::::::::

    Your answer was simple, detailed, and uncluttered. And it worked for me. I'm not sure what I missed, but that is immaterial now. Apparently I must have skipped one of your steps in my previous work. A self-inflicted error, but maybe someone else will benefit from these last posts.

    Now that that was solved ( I have confirmed the ehlo), with the conf changes and restarts, I'm now getting ssl errors from mail being sent by an authorized user through exim: from my exim mainlog:

    TLS error on connection from bogus_IP [111.111.111.111] (SSL_CTX_use_PrivateKey_file file=/etc/exim.keydisable_ipv6=true): error:02001002:system library:fopen:No such file or directory

    I have ip6 disabled for now on the server... the fun never ends, does it? I am off to solve this current exim problem.

    In my opinion, "Simple yet Detailed" is not any oxymoron. Your quick and direct suggestion is proof.

    Many thanks again for taking your time for me.

    Mike Brown


    [My Edit: This last problem was also self inflicted. I had inadvertently deleted " disable_ipv6=true " from the conf files. Edit, add, restart. Voila! Problem solved. /Edit]
    Last edited by whitehat; 02-19-2019 at 05:19 PM. Reason: Added new information to last problem

Page 4 of 5 FirstFirst ... 2345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •