Scripts for Exim SNI with a (Let's Encrypt) user certificate

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Yes, the exim config has been added to the custom variables file and ofc cb eximconf has run.

Do you have skype? If yes, add me: sellerone

Best regards
Just to inform other people that might stumble across the problem where the Exim changes seem to have no effect. We found out that SeLLeRoNe was using an Exim build that didn't support SNI yet, a quick rebuild solved the problem.
So don't forget to rebuild Exim and its config when you've made the required changes (I've also added this information to the first post):
Code:
cd /usr/local/directadmin/custombuild
./build exim
./build exim_conf
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
Thanks for your help.

Please everyone note, also if you have latest exim, you may have build it when the option for SNI was not yet introduced in Custombuild, so it may be worth to build exim again.

Also, here a quick script that check all users and all domains owned by each user and start the mail_sni.sh script (the script itself will check if there is SSL certificate).

Code:
for USER in `ls /usr/local/directadmin/data/users`;
	do
	echo "Starting user $USER"
	for DOMAIN in `cat /usr/local/directadmin/data/users/$USER/domains.list`	
		do
		echo "Configuring domain $DOMAIN"
		/usr/local/directadmin/scripts/custom/mail_sni.sh enable $USER $DOMAIN
	done
done
Best regards
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
53
hmmm... I am having trobbles...
when i save or switch ssl i timed out (600sec).
In directadmin error log i see:

2016:11:18-16:30:29: Timeout (timeout=600) from 77.160.76.39 : last flagged: custom script: /usr/local/directadmin/scripts/custom/ssl_save_post.sh : 'action=save&certificate=-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAp8ncubJP4E8xMPxm+iEZzkBt9RWoy0cy3hUttfWQ3Zuqm1hJ
DWZCQh0ecN5zaJ+uGGSGyGUae7Dz1ti1n9tQIJJ94MRZlZL/8eaPvOTZyjW

running from command the mail_sni.sh enable creamoontj creamoontje.nl works fine, and all is set well.
So some way, i geuss, the end of script is ignored?

any idees?
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
hmmm... I am having trobbles...
when i save or switch ssl i timed out (600sec).
In directadmin error log i see:

2016:11:18-16:30:29: Timeout (timeout=600) from 77.160.76.39 : last flagged: custom script: /usr/local/directadmin/scripts/custom/ssl_save_post.sh : 'action=save&certificate=-----BEGIN RSA PRIVATE KEY-----
MIIJJwIBAAKCAgEAp8ncubJP4E8xMPxm+iEZzkBt9RWoy0cy3hUttfWQ3Zuqm1hJ
DWZCQh0ecN5zaJ+uGGSGyGUae7Dz1ti1n9tQIJJ94MRZlZL/8eaPvOTZyjW

running from command the mail_sni.sh enable creamoontj creamoontje.nl works fine, and all is set well.
So some way, i geuss, the end of script is ignored?

any idees?
Which OS are you running? Could you verify the content of the ssl_save_post.sh script? It is odd that it times out when called through ssl_save_post but not through commandline.

Also could you try putting dovecot_sni=1 into your directadmin.conf and save the certificate again. Then try and do the same with exim_sni=1, and then with both. Let me know which one times out so we can narrow this down. (Don't forget to remove both variables afterwards)
 
Last edited:

jordivn

Verified User
Joined
Nov 4, 2016
Messages
53
No Luck at all.. I use CentOS 6. directadmin version 1.50.1.
I dit those settings in directadmin.conf (exim, dovecot and both) and running ./build rewrite_confs aftherwards...
Stil it times out. Strange enough, the certificates where created and saved at the right places.
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
No Luck at all.. I use CentOS 6. directadmin version 1.50.1.
I dit those settings in directadmin.conf (exim, dovecot and both) and running ./build rewrite_confs aftherwards...
Stil it times out. Strange enough, the certificates where created and saved at the right places.
I suspect something else is going on then. If you had both exim_sni=1 and dovecot_sni=1 in your config then the main script does nothing at all, it immediately exits on line 18. What happens if you create an empty ssl_save_post.sh file with just the following content:
Code:
#!/bin/sh
echo "test"
exit 0
Does it show just test or does it time out again?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
The exim_sni=1 is still a non-valid option for directadmin.conf while dovecot_sni=1 it is if you use the pre-release binaries :)

Best regards
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Correct, but enabling both exim_sni=1 and dovecot_sni=1 effectively disables the mail_sni.sh script as that still checks for these options.
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
53
I tested it out. Give me an test response back.
I rebuild the ssl_save_post.sh script from the first treat, and added logger END SSL_SAVE_POST just before its exit.
Now running it still times out but i can see the message in my message file. Did this action with user level -> ssl -> save (with the current certificate).
Does this action runs directly ssl_save_post or does it get called from another point? Looks like its waiting for something...
 

BBM

Verified User
Joined
Jun 8, 2013
Messages
349
Location
Dutch Mountains
Anyone else on CentOs 6 having issues?
I would like to incorporate this on my live server but can't afford (much) downtime if it's giving troubles.

Also think this function should be issued standard with DA, or at least as an extension or something.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
On next release DA will for sure have the implementation for Dovecot, not sure at what point are they with Exim implementation, but i'm confident that next release will have this already for both.

Best regards
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Any idea on whether or not exim with dovecot can handle 1000+ certs at the same time the way you are developing and testing the SNI-feature now?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
Hi Alex,

Just as matter of curiosity, why it shouldn't?

Latest Exim are SNI capable, so i guess they are somehow ready for big implementation (well, i hope :D)

Best regards
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Andrea,

Well, I can only guess and test when I have time.

In my understanding it might bring into issues with RAM and speed as well as we might hit a limit on number of open files. Correct me please if I'm wrong with 1000+ certs it would be at least 2000+ opened files with exim, dovecot, and apache (with or without nginx). Never tested it before, so that's why I'm asking...
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
That's a good point, actually my thoughts were that the file get loaded on runtime if needed, but you may be actually right...
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
Yes, they are opened at runtime once, but it would mean that a daemon needs to open and read all those 2000+ files. How much time might it take then to start?

How many SSL/TLS certs did you tried at the same time? I can test it currently only with ~100 live domains. Or I could setup a testing environment with 1000+ fake domains with self-signed certs. ;)
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,798
Location
A Coruña, Spain
eheh i tryed with probably 20 xD

But exim is not reading all the file, it goes on "per-request" for a specific domain, doesn't "load/check" the files on startup, for dovecot yes (as for apache/nginx)

Best regards
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
I tested it out. Give me an test response back.
I rebuild the ssl_save_post.sh script from the first treat, and added logger END SSL_SAVE_POST just before its exit.
Now running it still times out but i can see the message in my message file. Did this action with user level -> ssl -> save (with the current certificate).
Does this action runs directly ssl_save_post or does it get called from another point? Looks like its waiting for something...
If it shows the message it must mean it has finished with the script and is basically done, so no idea what it is waiting for or why it times out.
The ssl_save_post.sh is called directly by DirectAdmin itself.

Anyone else on CentOs 6 having issues?
I would like to incorporate this on my live server but can't afford (much) downtime if it's giving troubles.

Also think this function should be issued standard with DA, or at least as an extension or something.
I have personally only tested this using CentOS 7, but it should be largely OS independent. You could try it out with a few test domains first and if anything goes really wrong it is disabled again easily enough.

Any idea on whether or not exim with dovecot can handle 1000+ certs at the same time the way you are developing and testing the SNI-feature now?
We are currently using it with several hundred domains (200+) without any problem. As you both already pointed out, Exim only loads the cert/key on an incoming SNI connection so its performance is largely dependent on the amount of mail traffic you have. Dovecot does, however, load all the files on startup but I don't know how much that exactly impacts performance/memory usage and if there is a limit on how many certificates it can handle.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,255
Location
GMT +7.00
But exim is not reading all the file, it goes on "per-request" for a specific domain, doesn't "load/check" the files on startup, for dovecot yes (as for apache/nginx)
Thank you, it's good to learn new things.

We are currently using it with several hundred domains (200+) without any problem. As you both already pointed out, Exim only loads the cert/key on an incoming SNI connection so its performance is largely dependent on the amount of mail traffic you have. Dovecot does, however, load all the files on startup but I don't know how much that exactly impacts performance/memory usage and if there is a limit on how many certificates it can handle.
Thanks for sharing your experience.
 
Top