Email SSL problem

It does work, because it is how I'm using it :) You however need dovecot version 2.x, if you got 1.x this won't work.

If you are using 2.x, then check logs or paste the config lines.
 
I believe only 2.x is maintained at the moment so you could just update it through custombuild,

cd /usr/local/directadmin/custombuild
see in options.conf if dovecot is set to yes
./build update
./build versions
see if it says dovecot is available to update to 2.x
./build dovecot

Make a backup of your config file in case something goes wrong
Also I'm pretty sure it'll get you the new config file for 2.x, if not here it is: http://files.directadmin.com/services/custombuild/dovecot.conf.2.0
 
I'm a bit confused about this. Do you need to issue the Certificate for the IP# for this to work?

Jeff
 
No you can just put the domain cert in the .cert file, which is only named after the IP address you've chosen to bind to it, just like on http you need an IP address. For dovecot it isn't really necessary as you can specify the filename easily, for exim you have the variable $received_ip_address -- used as $received_ip_address.cert.

edit, as for the dovecot and both domain+IP specification,

http://wiki2.dovecot.org/SSL/DovecotConfiguration -- local domain.tld is using SNI whereas using the local x.x.x.x is not, I guess the IP only will suffice if you decide to reserve an IP address for a cert anyway, but SNI is the direction we're heading anyway. Having both configured won't hurt I assume.
 
Last edited:
I have several dovecot.conf files. I am using custombuild 1.2, and here are all my dovecot.conf file:

/etc/dovecot.conf
/etc/dovecot/dovecot.conf
/usr/local/directadmin/custombuild/dovecot.conf
/usr/local/directadmin/custombuild/configure/dovecot/dovecot.conf
/usr/share/doc/dovecot/example-config/dovecot.conf
/var/run/dovecot/dovecot.conf
Click to expand...
 
/etc/dovecot.conf is most likely the one being used (you can verify this by looking in /etc/init.d/dovecot).
 
Still not working. Wondering perhaps permissions problem. What permissions do you have? I will play again with it tonight late.
 
I never got this working. Thanks for the info though. I'll give it another try in a few days.
 
When I use this, am I supposed to configure my mail client to use the IP address or domain (ie mail.example.com)?

Exim, instead of the exim.cert/key:

Code:
tls_certificate = /etc/$received_ip_address.cert
tls_privatekey = /etc/$received_ip_address.key

So you would have /etc/ip.address.here.cert/key (u need to make/copy certs for all ips in use with the domain they represent)

Dovecot:

Code:
ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_key = </etc/httpd/conf/ssl.key/server.key
local domain.tld { ssl_cert = </etc/123.123.123.123.cert ssl_key = </etc/123.123.123.123.key}local 123.123.123.123 { ssl_cert = </etc/123.123.123.123.cert ssl_key = </etc/123.123.123.123.key}
Click to expand...
 
Last edited:
Upon further checking, I am even more confused. Do I need to do both EXIM and dovecot? I have both EXIM (spamblocker 4.1 (thanks Jeff!!)) and dovecot. It takes the cert from the IP address, but the dovecot edit doesn't seem to do anything (unless I am missing something).
 
You need dovecot when accessing pop3/imap in clients (e.g. outlook), so that's for reading incoming mail. Exim is used for both sending and receiving the mail from public, dovecot is only to read it from your server to users with pop3/imap clients.

I've just tested again by adding another ip/domain and it works. On a side note, if you query an unconfigured IP/domain it will serve the default ssl_cert/key, and if you configure the ip/domain it will serve the configured one.

To summerize:
- Need dovecot 2
- After you make a change in the config, restart dovecot
- You can use both
Code: 
local ip.address.here {
and
Code: 
local domain.tld {

To specify the same cert and key files.

- You can check which cert is being served with
Code: 
openssl s_client -connect ip.address.here:993
or
openssl s_client -connect domain.tld:993

Here is my file (I changed the ip adresses and domains obviously)

Code: 
## Dovecot 2.0 configuration file

ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_key = </etc/httpd/conf/ssl.key/server.key

local somedomain.tld {
  ssl_cert = </etc/1.2.3.4.cert
  ssl_key = </etc/1.2.3.4.key
}
local 1.2.3.4 {
  ssl_cert = </etc/1.2.3.4.cert
  ssl_key = </etc/1.2.3.4.key
}


local otherdomain.tld {
  ssl_cert = </etc/11.12.13.14.cert
  ssl_key = </etc/11.12.13.14.key
}
local 11.12.13.14 {
  ssl_cert = </etc/11.12.13.14.cert
  ssl_key = </etc/11.12.13.14.key
}
 
OOOOOOOOOHHHHHHHHH!!!

Now I get it, and I got it working! Thank you SO much!

Been playing with it now that I have it working and decided to modify it a little. I went with a symbolic link to the cert generated by the DA SSL page and made a self-signed cert using DA. Used *.example.com for the Common Name, and then installed that cert to my workstation. No errors.

Man I love it when the light goes on in my head!
 
So, with my use of symbolic links I just realized that incoming works, but not outgoing. I narrowed it down to permissions on the example.com.key file in /usr/local/directadmin/data/users/user/domains/example.com.key

It defaults to 600 but needs at least 604. I'm thinking of changing the default group of dovecot from "mail" or "dovecot" to "diradmin". However, I don't know the security ramifications of that. If it make a security hole I'll just go back to copying the certs and setting the permissions as Arieh suggested.
 
zEitEr said:
If you want your customers to use one SSL cert, then as you've been already told, you need to use one hostname for all of your customers, it would mean to use something as following:

hostname.yourcompany.com as POP/IMAP/SMTP hostname, instead of using

mail.client-domain.com
mail.client2-domain.net

etc.

and in this case you should have a valid SSL cert for hostname.yourcompany.com.
Click to expand...

I am having this situation now. I already have many clients and many hundreds domains in clients accounts. It is shared hosting. I am still using default self-signed certificates for clients emails. However I would like to use a real certificate.

But of course I have all these clients and many hundres domains, that all is setup with mail.clientowndomain.com for both pop/imap/smtp, and they all have mx 10 mail.clientowndomain.com in dns, in mx records page it is the default like this:

mail MX 10

I now understand this default setup in DirectAdmin was a mistake to use from the beginning? Or can I just tell my clients to use mail.server.hostname.com in email clients for smtp/pop/imap? It should work? And then I can install a certificate on mail.server.hostname.com?

I really are not sure about how to do this the best way on a shared hosting server with many domains. Any advice for this setup is most welcome.
 
You can just let your clients use one (sub)domain to login into the pop/imap/smtp, just like you can log into directadmin through all domains. No need to change any dns records, definitely no MX records as those are for incoming emails and this all is only about outgoing or reading from your own server. Also if you already have a cert for a domain e.g. mycompany.tld then you can also use that if it's on the same server, it's all about the IP address it connects to not the hostname.
 
Thank you. But now I am really confused. If I tick in my email client that it shuld use "Secure connection (TLS) for both pop and smtp, then it would need to be a valid certificate for both outgoing and incoming email, not only for incoming?

I am still confused about the rest of this, and your answer. What sub domain would you reccomend for this then, and how would I add it to all existing domains/accounts dns?

Would it not be better to tell my clients to use mail.server.hostname.com for pop/imap/smtp address? and register a certificate on mail.server.hostname.com?

However, after looking for it for several years, hoping there would be posted a good guide for this, and also searching, I have still not found a good and simple guide for a best way to provide secure email on shared hosting.

Yes, I already run DirectAdmin, phpmyadmin, and roundcube on a SSL certificate on server.hostname.com - the only thing I still miss, is to offer the same for clients email on pop/imap/smtp, wich I still only offer on self-signed certificate.

My head is burning. Time out.
 
You must log in or register to reply here.
Back
Top