Scripts for Exim SNI with a (Let's Encrypt) user certificate

SeLLeRoNe said:
Yes, the exim config has been added to the custom variables file and ofc cb eximconf has run.

Do you have skype? If yes, add me: sellerone

Best regards
Click to expand...

Just to inform other people that might stumble across the problem where the Exim changes seem to have no effect. We found out that SeLLeRoNe was using an Exim build that didn't support SNI yet, a quick rebuild solved the problem.
So don't forget to rebuild Exim and its config when you've made the required changes (I've also added this information to the first post):
Code: 
cd /usr/local/directadmin/custombuild
./build exim
./build exim_conf
 
Thanks for your help.

Please everyone note, also if you have latest exim, you may have build it when the option for SNI was not yet introduced in Custombuild, so it may be worth to build exim again.

Also, here a quick script that check all users and all domains owned by each user and start the mail_sni.sh script (the script itself will check if there is SSL certificate).

Code: 
for USER in `ls /usr/local/directadmin/data/users`;
	do
	echo "Starting user $USER"
	for DOMAIN in `cat /usr/local/directadmin/data/users/$USER/domains.list`	
		do
		echo "Configuring domain $DOMAIN"
		/usr/local/directadmin/scripts/custom/mail_sni.sh enable $USER $DOMAIN
	done
done

Best regards
 
hmmm... I am having trobbles...
when i save or switch ssl i timed out (600sec).
In directadmin error log i see:

2016:11:18-16:30:29: Timeout (timeout=600) from 77.160.76.39 : last flagged: custom script: /usr/local/directadmin/scripts/custom/ssl_save_post.sh : 'action=save&certificate=-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAp8ncubJP4E8xMPxm+iEZzkBt9RWoy0cy3hUttfWQ3Zuqm1hJ
DWZCQh0ecN5zaJ+uGGSGyGUae7Dz1ti1n9tQIJJ94MRZlZL/8eaPvOTZyjW

running from command the mail_sni.sh enable creamoontj creamoontje.nl works fine, and all is set well.
So some way, i geuss, the end of script is ignored?

any idees?
 
jordivn said:
hmmm... I am having trobbles...
when i save or switch ssl i timed out (600sec).
In directadmin error log i see:

2016:11:18-16:30:29: Timeout (timeout=600) from 77.160.76.39 : last flagged: custom script: /usr/local/directadmin/scripts/custom/ssl_save_post.sh : 'action=save&certificate=-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAp8ncubJP4E8xMPxm+iEZzkBt9RWoy0cy3hUttfWQ3Zuqm1hJ
DWZCQh0ecN5zaJ+uGGSGyGUae7Dz1ti1n9tQIJJ94MRZlZL/8eaPvOTZyjW

running from command the mail_sni.sh enable creamoontj creamoontje.nl works fine, and all is set well.
So some way, i geuss, the end of script is ignored?

any idees?
Click to expand...

Which OS are you running? Could you verify the content of the ssl_save_post.sh script? It is odd that it times out when called through ssl_save_post but not through commandline.

Also could you try putting dovecot_sni=1 into your directadmin.conf and save the certificate again. Then try and do the same with exim_sni=1, and then with both. Let me know which one times out so we can narrow this down. (Don't forget to remove both variables afterwards)
 
Last edited:
No Luck at all.. I use CentOS 6. directadmin version 1.50.1.
I dit those settings in directadmin.conf (exim, dovecot and both) and running ./build rewrite_confs aftherwards...
Stil it times out. Strange enough, the certificates where created and saved at the right places.
 
jordivn said:
No Luck at all.. I use CentOS 6. directadmin version 1.50.1.
I dit those settings in directadmin.conf (exim, dovecot and both) and running ./build rewrite_confs aftherwards...
Stil it times out. Strange enough, the certificates where created and saved at the right places.
Click to expand...

I suspect something else is going on then. If you had both exim_sni=1 and dovecot_sni=1 in your config then the main script does nothing at all, it immediately exits on line 18. What happens if you create an empty ssl_save_post.sh file with just the following content:
Code: 
#!/bin/sh
echo "test"
exit 0

Does it show just test or does it time out again?
 
The exim_sni=1 is still a non-valid option for directadmin.conf while dovecot_sni=1 it is if you use the pre-release binaries :)

Best regards
 
Correct, but enabling both exim_sni=1 and dovecot_sni=1 effectively disables the mail_sni.sh script as that still checks for these options.
 
I tested it out. Give me an test response back.
I rebuild the ssl_save_post.sh script from the first treat, and added logger END SSL_SAVE_POST just before its exit.
Now running it still times out but i can see the message in my message file. Did this action with user level -> ssl -> save (with the current certificate).
Does this action runs directly ssl_save_post or does it get called from another point? Looks like its waiting for something...
 
Anyone else on CentOs 6 having issues?
I would like to incorporate this on my live server but can't afford (much) downtime if it's giving troubles.

Also think this function should be issued standard with DA, or at least as an extension or something.
 
On next release DA will for sure have the implementation for Dovecot, not sure at what point are they with Exim implementation, but i'm confident that next release will have this already for both.

Best regards
 
Any idea on whether or not exim with dovecot can handle 1000+ certs at the same time the way you are developing and testing the SNI-feature now?
 
Hi Alex,

Just as matter of curiosity, why it shouldn't?

Latest Exim are SNI capable, so i guess they are somehow ready for big implementation (well, i hope :D)

Best regards
 
Andrea,

Well, I can only guess and test when I have time.

In my understanding it might bring into issues with RAM and speed as well as we might hit a limit on number of open files. Correct me please if I'm wrong with 1000+ certs it would be at least 2000+ opened files with exim, dovecot, and apache (with or without nginx). Never tested it before, so that's why I'm asking...
 
That's a good point, actually my thoughts were that the file get loaded on runtime if needed, but you may be actually right...
 
Yes, they are opened at runtime once, but it would mean that a daemon needs to open and read all those 2000+ files. How much time might it take then to start?

How many SSL/TLS certs did you tried at the same time? I can test it currently only with ~100 live domains. Or I could setup a testing environment with 1000+ fake domains with self-signed certs. ;)
 
eheh i tryed with probably 20 xD

But exim is not reading all the file, it goes on "per-request" for a specific domain, doesn't "load/check" the files on startup, for dovecot yes (as for apache/nginx)

Best regards
 
jordivn said:
I tested it out. Give me an test response back.
I rebuild the ssl_save_post.sh script from the first treat, and added logger END SSL_SAVE_POST just before its exit.
Now running it still times out but i can see the message in my message file. Did this action with user level -> ssl -> save (with the current certificate).
Does this action runs directly ssl_save_post or does it get called from another point? Looks like its waiting for something...
Click to expand...

If it shows the message it must mean it has finished with the script and is basically done, so no idea what it is waiting for or why it times out.
The ssl_save_post.sh is called directly by DirectAdmin itself.

BBM said:
Anyone else on CentOs 6 having issues?
I would like to incorporate this on my live server but can't afford (much) downtime if it's giving troubles.

Also think this function should be issued standard with DA, or at least as an extension or something.
Click to expand...

I have personally only tested this using CentOS 7, but it should be largely OS independent. You could try it out with a few test domains first and if anything goes really wrong it is disabled again easily enough.

zEitEr said:
Any idea on whether or not exim with dovecot can handle 1000+ certs at the same time the way you are developing and testing the SNI-feature now?
Click to expand...

We are currently using it with several hundred domains (200+) without any problem. As you both already pointed out, Exim only loads the cert/key on an incoming SNI connection so its performance is largely dependent on the amount of mail traffic you have. Dovecot does, however, load all the files on startup but I don't know how much that exactly impacts performance/memory usage and if there is a limit on how many certificates it can handle.
 
SeLLeRoNe said:
But exim is not reading all the file, it goes on "per-request" for a specific domain, doesn't "load/check" the files on startup, for dovecot yes (as for apache/nginx)
Click to expand...

Thank you, it's good to learn new things.

Vaporizer said:
We are currently using it with several hundred domains (200+) without any problem. As you both already pointed out, Exim only loads the cert/key on an incoming SNI connection so its performance is largely dependent on the amount of mail traffic you have. Dovecot does, however, load all the files on startup but I don't know how much that exactly impacts performance/memory usage and if there is a limit on how many certificates it can handle.
Click to expand...

Thanks for sharing your experience.
 
You must log in or register to reply here.
Back
Top