Email SSL problem

Well your client receives from your server, where your server receives from the public. The public checks for MX records.

To clarify: Exim is used for receiving e-mails. From both public, as from your client. Dovecot is only being used for letting clients read their mail from your server.

e.g. a gmail to your server:

- gmail.com using MX to get your server
- Exim receives the e-mail, puts it in /home/$user/Maildir
- Client wants to know if there's new mail, asks Dovecot
- Dovecot checks /home/$user/Maildir, sends e-mail to your client

e.g. a mail from your server to gmail
- Client sends using the SMTProtocol the e-mail to your Exim
- Exim querying gmail's MX records to get the gmails mailservers
- (In case you use imap, client may also put the e-mail in Sent items in Maildir)
- Done

So your client contacts Exim for sending e-mails out, you need to configure a cert for that (SMTP). And you contact dovecot for reading the mails, cert for that (IMAP/POP)

So your client is only talking to your server, which only uses simple A records to resolve the name it connects to. MX is only something between mailservers.

So you can just configure the cert and name of your server.hostname.com in exim/dovecot and all customers should be able to connect to it. You can also use mail.server.hostname.com if you want, but its only longer and it would save you a certificate to just use the same.
 
Have you figured this out yet, ditto?

Some key points:

Be sure you order a Certificate wich will work with mailservers (Dovecot and Exim); check with your Certificate vendor.

Be sure to install your Certificates both into Exim and into Dovecot. There should be information in these forums; Google in forum.directadmin.com.

I don't use subdomain; I create the CSR manually and do manual installation, but you can create a subdomain for mail.example.com, where example.com is anything suitably generic which points to your sever's main domain.

Jeff
 
@Arieh, Thanks! @nobaloney, Thanks! But I have not been able to work more in this yet, because my internet connection in my office has been broken, and I have been on a mobile phone connceted to the internet, wich is kind of slow connection. But I will try to figure it all out, and if/when I do, I will post a update here later on.
 
Arieh said:
[..]So you can just configure the cert and name of your server.hostname.com in exim/dovecot and all customers should be able to connect to it. You can also use mail.server.hostname.com if you want, but its only longer and it would save you a certificate to just use the same.
Click to expand...

Ok, this is what I want to do. I want my shared hosting servers to use my server.hostname.com (wich already is setup with a ssl certificate for https). I am reading all these post in this forum again. I am sure it is easy, but hard for me to get a hold of it. I am also looking here: http://wiki2.dovecot.org/SSL/DovecotConfiguration

If someone would be so kind and share what I need to change in etc/exim.conf and etc/dovecot/dovecot.conf and where to place my existing certficate, so that I can use my main server.hostname.com to give my clients SSL/TLS on a valid certificate when sending and receiving email in both pop and imap, that would be very kind. I don't expect the help, but I wanted to ask.

I find these interesting lines in /etc/exim.conf:

Line number 136 to 137:
Code: 
daemon_smtp_ports = 25 : 587 : 465
tls_on_connect_ports = 465

Line number 297 to 302:
Code: 
# SSL/TLS cert and key
tls_certificate = /etc/exim.cert
tls_privatekey = /etc/exim.key
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
tls_advertise_hosts = *
#auth_over_tls_hosts = *
 
Also when testing using the server hostname (server.hostname.com) as incoming pop server and outgoing smtp server, I am not able to get that to work, and get a error like this in my email client:

Code: 
The server responded: [AUTH] Authentication failed.

Only way to get email in my email client to work again, is to change back to use mail.mydomain.com (mydomain.com is the domain name of the email account) address in pop and smtp server address fields.

So even if I did manage to get the server host name certificate to work in exim/dovecot, I would bot be able to use server.hostname.com as pop/imap and smtp server, not without fixing the above first. I am sure it is easy when you know how to do all this, but I find it hard at the moment.
 
I just now also tried to use mail.server.hostname.com as pop and smtp server in my mail client, but it give the same Authentication failed error that I get when using only server.hostname.com - so it seems it is not possible to use anything else but mail.domain.com - but maybe I need to edit something in exim.conf and/or dovecot.conf to make that work, I don't know.
 
Both exim and dovecot are using /etc/exim.cert and /etc/exim.key by default. So if you just want to use one ssl domain on your server for mail the easiest way is just to use these files for your private key and certificate. The default one is just a selfsigned localhost cert.

The issues in this topic were related to multiple certificates to different IPs.

An easy way to test it is using http://www.digicert.com/help/ -- they accept input with port 465 (exim) and 993 (dovecot)

You can also use chain certificates in the .cert file. Just put them under eachother. The order of it may be a bit unclear, fastest way may be just trying them out using the tester (if you test, use 993 to test as I believe dovecot is more strict about it). In my cert file I have <domain cert><Secondary_Intermediate><Primary_Intermediate>

Also I recommend chmodding the .key file to 600. Default it is 644, but that way other users on the server might read the key.

p.s. in your client u have to enter the domain the cert is from, for both smtp and pop/imap ofcourse.
 
Maybe I should have started a new thread, if so, I am sorry.

I think I could get the certifcate to work by adding my existing certificate and private key to /etc/exim.cert and /etc/exim.key - but as I said when I change to use server.hostname.com in my email client, I get a Authentication failed error.

Should it work with my server.hostname.com out of the box (on DirectAdmin servers) in my mail client? Or do I need to add the server.hostname.com in exim.conf or dovecot.conf? Before I solve that problem, I will not be able to continue. I am confused. I can't believe it is so hard.
 
You don't have to add/change anything in the config files. Also not sure if you are adding a cert, but you need to replace it. Only put one cert in the file and one key. Or only multiple certs if they are chain certs.

If you have a cert of server.hostname.com then put that cert in exim.cert and its key in exim.key. Then use http://www.digicert.com/help/ and put server.hostname.com:465 and server.hostname.com:993 and also use those in the mail client.

I'm not sure about that authentication error, it doesn't seem to me it is related to ssl. But maybe it is, right now it might be helpful to first verify the cert is function correctly using the tester.
 
Thank you, I have tested now. I replaced the content of /etc/exim.cert with the content I have in /etc/httpd/conf/ssl.crt/server.crt , and I replaced the content of /etc/exim.key with the content I have in /etc/httpd/conf/ssl.key/server.key

Then I restarted exim. Then I tested by using http://www.digicert.com/help/ - the first test of server.hostname.com:465 give green color on everything and at the bottom say: Congratulations! This certificate is correctly installed. But the test of server.hostname.com:993 give green color on all exept on the last thing that have red color and say this:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
Click to expand...

I can provide the real server hostname if it helps?
 
Yes that's what I meant by the chain certs (and also that 993 would be more strict about it :))

If you are using the cert in httpd you probably also entered those chain certs in DA under ca root certificate?

look in DA there or in the file like

/usr/local/directadmin/data/users/da_user/domains/server.hostname.cacert

but again the order of those might be just the other way around for dovecot, just test it the checker will tell you if the chain is correct or broken.
 
Thanks a lot! First regarding the error in my mail client when using server.hostname.com, it was the mail client that was bugging me. I had to enter the password again in the mail client, and then suddenly it started working (so that was a bug in the mail client).

So now it seems to work!

Yes, I have this /usr/local/directadmin/data/users/da_user/domains/server.hostname.cacert I will try to add it like you said in previous post: <domain cert><Secondary_Intermediate><Primary_Intermediate> and then use the test tool again. Wow, I am so close now. :)
 
Hurray! It works! I now get "Congratulations! This certificate is correctly installed." on both server.hostname.com:993 and server.hostname.com:465 on http://www.digicert.com/help/ - and it also seems like it is working correctly in my mail client usin TLS! So easy, yet so hard! :)

Now I will sit up all night long doing tests. Thanks a lot!
 
Good to hear.

Also about the chmod 644 on the .key file, it only has that chmod for proftpd (http://help.directadmin.com/item.php?id=245)

In my opinion that's not a good idea. I recommend chmodding the .key file to 600, and if you need it for proftpd create a seperate .key file for it. Otherwise users could see the private key and that's not supposed to happening.
 
Yes, I did make a note of this when you posted it. I will change to 600 on /etc/exim.key file on all my servers. Again thank you!
 
Just a little follow up. After testing more, I am a little confused about what port numbers I should recommend my customers to use in their email clients, because most of the port numbers works just fine.

Currently when testing pop and smtp both using TLS in email client, for pop it works both on 995 and 110 (I think I should recommend them to use 995). For SMTP it works both on 587 and 465 with TLS in mail client (I don't know wich one I should recommend my customers?).

Maybe this is getting a little to off topic of this thread. If so, I can start a new thread tomorow after also testing imap.

Edit: I found this article to be very helpful regarding port numbers: https://www.fastmail.fm/help/technology_ssl_vs_tls_starttls.html
 
Last edited:
If I'm understanding you correctly:

TLS works on the same ports as you'd normally use. For outgoing email we ask our clients to use port 587 with plain-text authentication. For incoming email we ask our clients to use TLS on port 110 for POP3 or 143 for IMAP.

(If memory serves.)

Jeff
 
Arieh said:
Exim, instead of the exim.cert/key:
Code: 
tls_certificate = /etc/$received_ip_address.cert
tls_privatekey = /etc/$received_ip_address.key
So you would have /etc/ip.address.here.cert/key (u need to make/copy certs for all ips in use with the domain they represent)

Dovecot:
Code: 
ssl_cert = </etc/httpd/conf/ssl.crt/server.crt
ssl_key = </etc/httpd/conf/ssl.key/server.key

local domain.tld {
  ssl_cert = </etc/123.123.123.123.cert
  ssl_key = </etc/123.123.123.123.key
}

local 123.123.123.123 {
  ssl_cert = </etc/123.123.123.123.cert
  ssl_key = </etc/123.123.123.123.key
}
Click to expand...

This is a solution that sounds great for me. But I still have a question.

In dovecot the ip is checked if it is not one ip the ip's that is programmed it will look at /etc/httpd/conf/ssl.crt/server.crt and key.
But if the /etc/123.123.123.123.cert doesn't exists it will do nothing? Is it possible to refer to the main certificate when there is no /etc/123.123.123.123.cert available?
 
I don't know how dovecot will react. But I wonder why you want it like that? Because you have configured the cert/key files, so at that moment you could check if it should be configured like that? (yourself or programmatically if you are working with that).

If you asked the question for Exim I can understand since it uses a $var in the config file. I also don't know how Exim reacts to that situation.

I would just make certs or symlinks for all IP addresses / certs configured, or if you don't want that you can test around.. I doubt you can do an if / else thing in a config file.
 
You must log in or register to reply here.
Back
Top