Scripts for Exim SNI with a (Let's Encrypt) user certificate

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Scripts for Exim and Dovecot SNI with a (Let's Encrypt) user certificate

------DEPRECATED------
Starting with DirectAdmin version 1.515 this script is built into DirectAdmin itself (https://www.directadmin.com/features.php?id=2019).
If you've used my version of the script you need to clean up some files to prevent conflicts after you upgrade DirectAdmin to version 1.515 or later:
  • In /usr/local/directadmin/conf/directadmin.conf add mail_sni=1 (assuming you want to use this feature) and remove dovecot_sni= and exim_sni= if these are present.
  • In /etc/exim.variables.conf.custom remove the tls_certificate= and tls_privatekey= variables.
  • In /usr/local/directadmin/scripts/custom/ remove the following files (or the changes made in them): domain_change_post.sh, domain_destroy_post.sh, domain_modify_post.sh, letsencrypt_post.sh, ssl_save_post.sh, user_destroy_pre.sh, mail_sni.sh
  • Remove all 95-<domainname>.conf files from /etc/dovecot/conf.d/ (rm -f /etc/dovecot/conf.d/95-*.conf)
  • Rebuild exim_conf (/usr/local/directadmin/custombuild/build exim_conf)
  • Rebuild dovecot_conf (/usr/local/directadmin/custombuild/build dovecot_conf)
  • Rewrite all exim and dovecot sni configs (echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue)

------ORIGINAL POST------
I've noticed several people are looking for a way to use their (Let's Encrypt) certificates in conjunction with Exim and Dovecot. So I thought I would share some of the scripts we've been using for some time now. These automatically create and update the mail configs for your domains and pointers/aliases, and should work with any regular, letsencrypt or wildcard certificates.

A few notes to take into account:
  • This was made on CentOS 7.2 for our own specific requirements, so feel free to modify it to serve yours.
  • DirectAdmin recently added their own implementation for creating the Dovecot files in their latest prerelease (https://www.directadmin.com/features.php?id=1889). You can use both this script and the prerelease without any conflict as it automatically detects if you have the prerelease options enabled or not.
  • The script chmods the actual certificate and key files to 644 so Exim can directly read them. If this is to insecure for you, you can change it to copy the files to /etc/virtual/<domainname>/mail.key and chown them to mail:mail (don't forget to change the Exim config accordingly).
  • I've simplified the script by always creating a .cert.combined file, even if you don't use a cacert. The .cert.combined file will in that case just contain the certificate itself.
  • In order to find the correct subdomains the script reads the certificate and then updates the mail config only if it finds the preconfigured subdomains otherwise the config is removed. By default these are mail or smtp for Exim and mail, imap or pop for dovecot. The domain itself is always included and wildcard certificates automatically include all the preconfigured subdomains. You can change these on line 6 and 7 of mail_sni.sh

First run /usr/local/directadmin/custombuild/build exim to make sure you are using the latest Exim version and then modify the /etc/exim.variables.conf.custom file to include the following code. After saving the file run /usr/local/directadmin/custombuild/build exim_conf to rebuild your Exim config so the changes are merged.
Code:
tls_certificate=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}
tls_privatekey=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}
Or use the following if you want more fallback to the default certificate if certain files are missing or removed.
Code:
tls_certificate=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}}{/etc/exim.cert}}}{/etc/exim.cert}}
tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}

Now place all of the following scripts in /usr/local/directadmin/scripts/custom/ and run /usr/local/directadmin/directadmin p afterwards to set the correct permissions. Windows users should also make sure to use Unix line endings before uploading these files.

domain_change_post.sh
Code:
#!/bin/sh
#update mail SNI configs when changing domainname
if [[ ${newdomain} != ${domain} && ${ssl} = "ON" ]]; then
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
	/usr/local/directadmin/scripts/custom/mail_sni.sh "enable" "${username}" "${newdomain}"
elif [ ${ssl} = "OFF" ]; then
	#this shouldn't be required, but just to be sure
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${newdomain}"
fi
exit 0;
domain_destroy_post.sh
Code:
#!/bin/sh
#remove mail SNI configs when removing a domainname
/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
exit 0;
domain_modify_post.sh
Code:
#!/bin/sh
#enable or disable mail SNI configs based on the current SSL setting
if [ ${ssl} = "ON" ]; then
	/usr/local/directadmin/scripts/custom/mail_sni.sh "enable" "${username}" "${domain}"
else
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
fi
exit 0;
letsencrypt_post.sh
Code:
#!/bin/sh
#enable or disable mail SNI configs when using letsencrypt
if [[ ${action} = "renew" ]]; then
	/usr/local/directadmin/scripts/custom/mail_sni.sh "enable" "${username}" "${domain}"
#do nothing for action=request, the domainconfig file isn't updated at this point, instead have ssl_save_post.sh handle this case
elif [[ ${action} = "request" ]]; then
  :
else
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
fi
exit 0;
ssl_save_post.sh
Code:
#!/bin/sh
#enable or disable mail SNI configs based on user input
if [[ (${type} = "create" && (${request} = "no" || ${request} = "letsencrypt")) || ${type} = "paste" || ${type} = "cacert" ]]; then
	/usr/local/directadmin/scripts/custom/mail_sni.sh "enable" "${username}" "${domain}"
else
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${domain}"
fi
exit 0;
user_destroy_pre.sh
Code:
#!/bin/sh
#disable mail SNI configs for all domains when removing the user
cat /usr/local/directadmin/data/users/${username}/domains.list | while read userdomain; do
	/usr/local/directadmin/scripts/custom/mail_sni.sh "disable" "${username}" "${userdomain}"
done
exit 0;
mail_sni.sh
Code:
#!/bin/sh
#mail_sni.sh - version 1.2.1

#setup subdomains to use for Exim and Dovecot
#domain.tld and *.domain.tld will always be used
EXIM_SUBDOMAINS=(mail smtp)
DOVECOT_SUBDOMAINS=(mail imap pop)

#retrieve arguments
ACTION=$1
USERNAME=$2
MAINDOMAIN=$3
#for some reason pcregrep can't be found when called from letsencrypt_post.sh
PCREGREP_BIN="/usr/local/bin/pcregrep"
#check if Dovecot or Exim SNI is already enabled in DA
DOVECOT_SNI=`grep -m1 -e '^dovecot_sni=' "/usr/local/directadmin/conf/directadmin.conf" | cut -d= -f2`
EXIM_SNI=`grep -m1 -e '^exim_sni=' "/usr/local/directadmin/conf/directadmin.conf" | cut -d= -f2`
if [[ ${EXIM_SNI} = 1 ]] && [[ ${DOVECOT_SNI} = 1 ]]; then exit 0; fi
#config files
DOMAIN_CONF="/usr/local/directadmin/data/users/${USERNAME}/domains/${MAINDOMAIN}.conf"
POINTERS_CONF="/usr/local/directadmin/data/users/${USERNAME}/domains/${MAINDOMAIN}.pointers"
DOVECOT_CONF="/etc/dovecot/conf.d/95-${MAINDOMAIN}.conf"
SNIDOMAINS_CONF="/etc/virtual/snidomains"
touch ${SNIDOMAINS_CONF}
chown mail:mail ${SNIDOMAINS_CONF}

#get pointers and aliases for the domain
DOMAINS="${MAINDOMAIN}"
if [[ -s ${POINTERS_CONF} ]]; then
  DOMAINS="${DOMAINS} `cat ${POINTERS_CONF} | $PCREGREP_BIN -o1 \"(.*)=\"`"
  set -f; DOMAINS=($DOMAINS); set +f
fi

if [[ ${ACTION} = "enable" ]]; then
  #remove any previous config so we have a fresh start
  if [[ ${EXIM_SNI} != 1 ]]; then
    sed -i "/^.*:${USERNAME}:${MAINDOMAIN}$/d" ${SNIDOMAINS_CONF}
  fi
  if [[ ${DOVECOT_SNI} != 1 ]]; then
    rm -f ${DOVECOT_CONF}
  fi
  
  #get variables from the domain's config file
	SSL=`grep -m1 -e '^ssl=' ${DOMAIN_CONF} | cut -d= -f2`
	CERT=`grep -m1 -e '^SSLCertificateFile=' ${DOMAIN_CONF} | cut -d= -f2`
	KEY=`grep -m1 -e '^SSLCertificateKeyFile=' ${DOMAIN_CONF} | cut -d= -f2`
	CACERT=`grep -m1 -e '^SSLCACertificateFile=' ${DOMAIN_CONF} | cut -d= -f2`
  
  #make sure required files are in place and SSL is turned on
  if [[ ${SSL} = "ON" && (! -z ${CERT}) && (! -z ${KEY}) && (-s ${CERT}) && (-s ${KEY}) ]]; then
    #create cert.combined file if it isn't being used
    if [ -z ${CACERT} ]; then
      cp -f ${CERT} "${CERT}.combined"
    fi
    #chmod certificate and key so Exim can access them
    chmod 644 "${CERT}.combined" "${KEY}"
    
    #get all subject names directly from the certificate
    SUBJECTNAMES="`openssl x509 -text -in \"${CERT}\" | sed -nr '/^ {12}X509v3 Subject Alternative Name/{n;s/^ *//p}'`"
    for DOMAIN in "${DOMAINS[@]}"; do
      RESULT=false
      #check if the domain itself is present as a subjectname
      if [[ "`$PCREGREP_BIN -o1 \"DNS:(\Q${DOMAIN}\E)\" <<< ${SUBJECTNAMES}`" = "${DOMAIN}" ]]; then
        #write Exim config
        if [[ ${EXIM_SNI} != 1 ]]; then
          echo "${DOMAIN}:${USERNAME}:${MAINDOMAIN}" >> ${SNIDOMAINS_CONF}
        fi
        #write Dovecot config
        if [[ ${DOVECOT_SNI} != 1 ]]; then
          echo -e "local_name ${DOMAIN} {\n\tssl_cert = <${CERT}.combined\n\tssl_key = <${KEY}\n}" >> ${DOVECOT_CONF}
        fi
        RESULT=true
      fi
      #get valid subdomains for the current domain
      #set -f is used to prevent globbing with wildcard certificates
      SUBDOMAINS="`$PCREGREP_BIN -o1 \"DNS:([^\s]+)\.\Q${DOMAIN}\E\" <<< ${SUBJECTNAMES}`"
      set -f; SUBDOMAINS=($SUBDOMAINS); set +f
      for SUBDOMAIN in "${SUBDOMAINS[@]}"; do
        #write Exim config
        if [[ ${EXIM_SNI} != 1 ]]; then
          if [[ " ${EXIM_SUBDOMAINS[@]} " =~ " ${SUBDOMAIN} " ]] || [[ "${SUBDOMAIN}" = "*" ]]; then
            echo "${SUBDOMAIN}.${DOMAIN}:${USERNAME}:${MAINDOMAIN}" >> ${SNIDOMAINS_CONF}
            RESULT=true
          fi
        fi
        #write Dovecot config
        if [[ ${DOVECOT_SNI} != 1 ]]; then
          if [[ " ${DOVECOT_SUBDOMAINS[@]} " =~ " ${SUBDOMAIN} " ]]; then
            echo -e "local_name ${SUBDOMAIN}.${DOMAIN} {\n\tssl_cert = <${CERT}.combined\n\tssl_key = <${KEY}\n}" >> ${DOVECOT_CONF}
            RESULT=true
          elif [[ "${SUBDOMAIN}" = "*" ]]; then
            for DOVECOT_SUBDOMAIN in "${DOVECOT_SUBDOMAINS[@]}"; do
              echo -e "local_name ${DOVECOT_SUBDOMAIN}.${DOMAIN} {\n\tssl_cert = <${CERT}.combined\n\tssl_key = <${KEY}\n}" >> ${DOVECOT_CONF}
            done
            RESULT=true
          fi
        fi
      done
      #check if at least one cofig file has been created for this domain
      if $RESULT; then
        echo "Enabled mail SNI config for ${DOMAIN}<br>"
      else
        echo "Disabled mail SNI config for ${DOMAIN}<br>"
      fi
    done
  else
    echo "Disabled mail SNI config for ${DOMAINS[@]}<br>"
  fi
elif [[ ${ACTION} = "disable" ]]; then
  #clear the current config for the domain and pointers
  if [[ ${EXIM_SNI} != 1 ]]; then
    sed -i "/^.*:${USERNAME}:${MAINDOMAIN}$/d" ${SNIDOMAINS_CONF}
  fi
  if [[ ${DOVECOT_SNI} != 1 ]]; then
    rm -f ${DOVECOT_CONF}
  fi
  echo "Disabled mail SNI config for ${DOMAINS[@]}<br>"
fi

#reload dovecot for changes to take effect
if [[ ${DOVECOT_SNI} != 1 ]]; then
  if [[ -d "/etc/systemd/system" && ( -e "/bin/systemctl" || -e "/usr/bin/systemctl" ) ]]; then
    systemctl reload dovecot.service
  elif [[ -e "/etc/init.d/dovecot" ]]; then
    /etc/init.d/dovecot reload
  else
    service dovecot reload
  fi
fi
exit 0;

Now whenever you add, remove or update a certificate, either manually or through Let's Encrypt, the mail config will be updated and your users are able to use their own domain in their email clients.
 
Last edited:

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Hi,

thanks for sharing this, i was actually looking for a way aswell to help DA Staff to implement this, i did help them with the Dovecot one.

Did you send the link to this thread to them? (so they can implement it directly?)
If not, would you mind if i do?

Best regards
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Thanks, I've just sent them a message. I also included some feedback about the Dovecot implementation I ran into while testing some stuff. I'll also post it below as it might interest you as well:

- No config file is created for domain pointers even though they are present in the certificate.
- If you disable the cacert checkbox (and insert a new certificate/key) the config still points to the old .cert.combined file. This file doesn't get updated by DA if you deselect cacert, I think it might be wise for DA to always update this file, even if there is no cacert.
- If the option is changed to use the server certificate, if you completely disable SSL or if you remove the entire domain/user, the Dovecot config files remain. This can be dangerous as Dovecot will fail to start if it can’t find the cert and key files. I recommend to use the same create/remove cases as I do in the pre/post scripts.
- The config file always includes imap, mail and pop regardless of the certificate used (this might be intended).

Kind Regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Ok cool

I saw the problem with Dovecot and i also told to John.
Regarding your list, i didn't notice the first 3 point but mine was quite a quick test, for last one, yes i guess it's intended, because anyway the customer will have a wrong certificate also if he select mail.domain and that is not in the certificate alternative names, so instead of use the server one, it always use the domain one (if present).

Best regards
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
36
Very nice!

I'm interresting in the dovecot script.
You may also send it me by mail (jordivn@g m a i l . c o m).

The only problem i had was that exim didn't used the .conf.custom in its config file. solved by changing exim.conf.
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
for last one, yes i guess it's intended, because anyway the customer will have a wrong certificate also if he select mail.domain and that is not in the certificate alternative names, so instead of use the server one, it always use the domain one (if present).
Great, I just noticed there was a template for the Dovecot settings, so that indeed makes sense.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
@Vaporizer
I was reviewing your code and something doesn't seems to be correct:
user_destroy_pre.sh
This is called per user, not sure if for each domain, is quite pointless to have this, domain_destroy_post.sh should already do this job, and this specify just 1 domain, if the user have multiple wouldn't work i think.

I'm also testing it on my server, but no matter what i get the failover certificate (the server hostname one), the user i've enabled this have the certificate in his folder, any suggestions?

I must say that i manually used the exim_sni.sh file this way: /usr/local/directadmin/scripts/custom/exim_sni.sh "enable" "USERNAME" "DOMAIN.TLD"


@jordivn: That file is not loaded by exim itself but from Custombuild, once you create the custom file, you need to run /usr/local/directadmin/custombuild/build eximconf
This will merge your custom file to the default variables file. I wouldn't recommend to modify exim.conf directly.

Best regards
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
36
Tnx for the hint..
The only thing left is getting it into dovecot. I don't use the prereleases... any other way of getting the scripts?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Honestly i would suggest either to grab the release (so you don't have to modify files now and than again on next official release) or even wait for the official release.

Sayd that, if you prefer to use the scripts, you may need to wait for Vaporizer to post them :)

Best regards
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
410
Location
The Netherlands
This is excellent work and news, can't wait for the release with Dovecot support and hopefully Exim follows suit soon with the work Vaporizer did.
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
@Vaporizer
I was reviewing your code and something doesn't seems to be correct:
user_destroy_pre.sh
This is called per user, not sure if for each domain, is quite pointless to have this, domain_destroy_post.sh should already do this job, and this specify just 1 domain, if the user have multiple wouldn't work i think.

I'm also testing it on my server, but no matter what i get the failover certificate (the server hostname one), the user i've enabled this have the certificate in his folder, any suggestions?

I must say that i manually used the exim_sni.sh file this way: /usr/local/directadmin/scripts/custom/exim_sni.sh "enable" "USERNAME" "DOMAIN.TLD"

Best regards
user_destroy_pre.sh calls the script for every domain under the user. I've done this because if something goes wrong the output won't be 0 and the user destroy will be canceled, allowing you to fix the problem and try again. I think this doesn't happen if you rely on domain_destroy_post.sh (although I'm not a 100% about this).

When you call the script directly, is there any output to suggest anything went wrong? Could you check if the domain config file (/usr/local/directadmin/data/users/<user>/domains/<domain>.conf) contains atleast the following values?
SSL=On
CERT=/usr/local/directadmin/data/users/<user>/domains/<domain>.cert
KEY=/usr/local/directadmin/data/users/<user>/domains/<domain>.key

Could you also check if these paths are correct for your system?
/usr/bin/openssl
/usr/local/bin/pcregrep
/usr/bin/sed


@jordivn & tristan: I'll try to post a script that also includes Dovecot tomorrow, but as SelleRoNe indicated you might as wel just install the prerelease if you can.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
I see, thanks for clarify :)

The user Have SSL On, the cert is there (.cert.combined), the cert is currently used with Dovecot (pre-release binaries and is working fine)

The file /etc/virtual/snidomains is filled correctly and exim seems to be configured fine (in fact, if i put the excact path for the tls cert/key for the user as a only certificate it does simply work, seems like to me the extraction of the value is wrong.

I've to say that i'm not sure, but, in this file /etc/virtual/snidomains i have
mail.domain.tld:user:domain.tld

To me it looks strange (but again, i'm not expert in exim conf) this:
{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}
Shouldn't be extract 2 for user and 3 for domain?, why is the mail.domain.tld there? What it's the use?

The path you've provided are all correct exact sed which is in /bin/sed, you may want to set those commands in a variable and config the variable with the output of whereis or not to use full path for system commands.

Available for tests if you need :)

Best regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
I have just check and actually you're not using full path for sed, so that should be ok, sed is actually working to me.

Best regards
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
I've just updated the first post to also include generating Dovecot configs the same way it is done for Exim, it also fixes some issues I found along the way. Note that exim_sni.sh has been renamed to mail_sni.sh, so make sure to remove the old script and then follow the complete instructions from the first post again.


I see, thanks for clarify :)

The user Have SSL On, the cert is there (.cert.combined), the cert is currently used with Dovecot (pre-release binaries and is working fine)

The file /etc/virtual/snidomains is filled correctly and exim seems to be configured fine (in fact, if i put the excact path for the tls cert/key for the user as a only certificate it does simply work, seems like to me the extraction of the value is wrong.

I've to say that i'm not sure, but, in this file /etc/virtual/snidomains i have
mail.domain.tld:user:domain.tld

To me it looks strange (but again, i'm not expert in exim conf) this:
{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}
Shouldn't be extract 2 for user and 3 for domain?, why is the mail.domain.tld there? What it's the use?

The path you've provided are all correct exact sed which is in /bin/sed, you may want to set those commands in a variable and config the variable with the output of whereis or not to use full path for system commands.

Available for tests if you need :)

Best regards
I have just check and actually you're not using full path for sed, so that should be ok, sed is actually working to me.

Best regards
Sorry it took a while to get back to you. The reason I wanted to check your paths is that I noticed some strange behaviour while testing. pcregrep can't be found when the script gets called from letsencrypt_post.sh, it works for all the other pre/post scripts. I tried solving this by using whereis and which as you suggested but had the same result, so I ended up making it a variable near the top of the script.

About the /etc/virtual/snidomains file, the content is correct. The first part (mail.domain.tld) is used to check against the Exim parameter tls_in_sni using lookup and nwildsearch, this is the value the user enters as their outgoing mailserver in their mailclient. The result of this nwildsearch is the part after the first colon (user:domain.tld), this part is then used to extract the user and domain from (that's why it is 1 and 2, not 2 and 3) that are used in the path to the certificate and key (/usr/local/directadmin/data/users/<username>/domains/<domainname>.cert.combined)
So the first part can also be a domainpointer or alias (mail.seconddomain.tld) but the last part will still point to the main domain as that is the name of the certificate that contains both the domain and pointers/aliasses.

Could you give the updated script a try and let me know the results? Calling it manually as you did before should be fine: /usr/local/directadmin/scripts/custom/mail_sni.sh "enable" "username" "domain.tld"

Regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Thanks, i'll run some test now.

One minor things:
Disabled mail SNI config for interenergy.it<br>

The <br> is intended to be just for HTML output i presue, not really sure you need to specify it anyway:)

One issue:
/usr/local/directadmin/scripts/custom/mail_sni.sh: line 101: systemctl: command not found

That's OS depending, i would suggest you to use:
service dovecot reload
instead of
systemctl reload dovecot

That should work everywhere.

Another hint, the dovecot conf use 91-domain, you may better use 95-domain for future compatibility with DA integration, and also, actually, dovecot configuration should contain a if:
cat /usr/local/directadmin/conf/directadmin.conf | grep dovecot_sni | cut -d= -f2
If that's 1, do nothing, if that's 0, make the config.

This will allow everyone to use the script also with future DA releases (so, to use just for exim while DA take care of dovecot).

I presume that DA config line for exim will be exim_sni, so you may want to add also that check, if =1 do nothing, otherwise act.

Here how should be (in my opinion:
On the top add:
Code:
DOVECOT_SNI=`cat /usr/local/directadmin/conf/directadmin.conf | grep dovecot_sni | cut -d= -f2`
"Around" every dovecot related config add
Code:
if [[ $DOVECOT_SNI != 1 ]]; then
....CODE...
fi

I'll update with other hint/issue if i find :)

Best regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Not sure it is fine but now the file /etc/virtual/snidomains have two lines per domain:
domain.tld:user:domain.tld
mail.domain.tld:user:domain.tld
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Tested, still having the same issue, Thundebird doesn't accept the certificate and when i look into the certificate it is the hostname one.

best regards
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
The <br> is for when you use the DA user interface to set or change a certificate, otherwise everything appears on one line (\n is ignored there, the output of every script is printed on a new line though).
Using "service dovecot reload" is a good suggestion, I didn't know it also linked to systemctl if you used systemd. The stuff about detecting DA's config for dovecot_sni and exim_sni is a good idea, I'll change that and then also change 91-domain to 95-domain.

The reason /etc/virtual/snidomains has two lines in your case is that it now also includes the domain itself if that is present in your certificate (Subject Alternative Name).
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Tested, still having the same issue, Thundebird doesn't accept the certificate and when i look into the certificate it is the hostname one.

best regards
Very strange, your /etc/virtual/snidomains file seems ok and I assume you directly copied the exim config from my first post. Would it be possible for me to log in to your server to have a look? You can contact me via PM if you'd like to arrange something.

Regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,791
Location
A Coruña, Spain
Yes, the exim config has been added to the custom variables file and ofc cb eximconf has run.

Do you have skype? If yes, add me: sellerone

Best regards
 
Top