mail_sni feature TLS/SSL connection issues - new email settings required?

Vibe

Verified User
Joined
Aug 3, 2005
Messages
124
Hello!

I was hoping that someone might be able to point me in the right direction as I have been unsuccessful in finding information in the forum or through Google. My "issue" may also be the result of my inexperience with how the mail_sni feature is supposed to work.

Today I took the jump and enabled the mail_sni feature on my server. My goal is to allow users to configure their email (PC's, Mobile devices, Macs etc.) without having to use the host server name for SSL/TLS connections - e.g. use mail.domain.com vs server.mydomain.com. I followed the instructions at https://www.directadmin.com/features.php?id=2019. My exim.conf version went from v2.1.1 to v4.5.8. I am not currently using the advanced spam features.

After the upgrade I configured an SSL certificate using Let's Encrypt through DA, and selected the option to include "mail.domain.com" in addition to the default www.domain.com. DA showed that three certificates were generated correctly (mail.domain.com, domain.com and www.domain.com).

After all was completed I tested connectivity through Outlook by changing the incoming and outgoing sever settings to "mail.domain.com" which were previously set to use the host server over ports 993 and 465, both using SSL.

Now I am finding some differences in the way Outlook is able to connect using SSL/TLS which I was not expecting and am not certain if this is correct. Here is what I am finding:


  1. Outlook can only connect to port 465 using SSL with SMTP authentication (* is this new?).

  • Outlook can only connect to port 587 using TLS with SMTP authentication (* as expected).

I have been testing this and have a feeling my questions are due to inexperience. :) Can anyone share some insight regarding the following?

1.) SMTP authentication appears to be a requirement for Port 465 in Outlook (but not Android or iOS) when using mail_sni - (e.g. when connecting to either mail.domain.com or the host server) - is this correct?

2.) On Android, I presume due to the certificate chain, connecting to mail.domain.com requires "accepting all certificates" whereas connecting to the host server does not - is this correct?

3.) I am also receiving excessive resource notifications from my installation of CSF regarding the processing time for /usr/libexec/dovecot/lmtp. I can disable these, however, I never received them before the upgrade. Have others experienced the same?

4.) Does the following warning still apply after implementing the mail_sni feature? (e.g. after CustomBuild upgraded exim.conf from v.2.1.1 to v4.5.8). I am not using the advanced Spam features:

Code:
WARNING! Do NOT use the Exim configuration file coverred by this ReadMe
file unless you make the required modifications to your Exim configuration
following the instructions in this ReadMe file.

Again - my apology for the long post. I greatly appreciate any insight!

Thank you!
 
Last edited:
Hello,

SMTP auth is obligatory with exim.conf 4.5

The /usr/libexec/dovecot/lmtp should be added into /etc/csf/csf.pignore
 
Last edited:
Hi Alex,

Thanks so much for the information - I greatly appreciate it. I had a feeling that SMTP auth was now obligatory. However, I was surprised when Android could connect with or without it over Port 465, yet Outlook required it. This is good to know for when I start moving users over to the new system.

Thanks again!
 
Am I right when you have to add /usr/libexec/dovecot/lmtp in csf.pignore instead of csg.ignore?
 
That is exactly right. In my /etc/csf/csf.pignore I added the following (based on the notifications I was receiving):

exe:/usr/libexec/dovecot/lmtp
cmd:dovecot/lmtp [local READY]
 
Back
Top