Scripts for Exim SNI with a (Let's Encrypt) user certificate

Blinkie

New member
Joined
Dec 7, 2016
Messages
2
testing

Alright, I tested it on one of my hostingservers.

First of all:

Running on latest Directadmin version, centos 6 x64 and Cloudlinux.

I did what you describe but i'm running at some issues.

When I request a new Lets Encrypt SSL certificate via user level -> SSL certificates, and click on 'save', it's loading.......... and loading........ at least 10 minutes (not normal). When i'm clicking on home, and back to ssl certificates it's done and the keys are in Paste a pre-generated certificate and key.
I have tested this on a Digitalocean server, same problem. When adding dovecot_sni=1 it's working perfectly and after 30 seconds it's saying it's done and created the SSL certificate...

And my other issue when deleting an user with a SSL certificate:

Users deleted

Details

User * Removed
Disabled mail SNI config for *
Shutting down dovecot: [ OK ] Starting dovecot: Fatal: Error reading configuration: Invalid setting ssl: Invalid value: ON [FAILED]
User removed from SSH
* config files have been removed
Disabled mail SNI config for *
Shutting down dovecot: [FAILED] Starting dovecot: Fatal: Error reading configuration: Invalid setting ssl: Invalid value: ON [FAILED]

Users's domains directory removed.

Unix User removed from the server
User's config files deleted
User's data directory removed.
Removed user from admin's list
Script output: /usr/local/directadmin/scripts/custom/user_destroy_post.sh
 

Blinkie

New member
Joined
Dec 7, 2016
Messages
2
Also this comes up?

2016-12-07 22:29:42 Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option
2016-12-07 22:36:59 Warning: No server certificate defined; TLS connections will fail.
Suggested action: either install a certificate or change tls_advertise_hosts option
2016-12-07 22:56:12 fork failed for TLS check
2016-12-07 22:56:14 fork failed for TLS check
2016-12-07 22:56:19 fork failed for TLS check
2016-12-07 22:56:19 fork failed for TLS check
2016-12-07 22:56:20 fork failed for TLS check
2016-12-07 22:56:20 fork failed for TLS check
2016-12-07 22:56:20 fork failed for TLS check
2016-12-07 23:11:16 fork failed for TLS check
2016-12-07 23:11:16 fork failed for TLS check
2016-12-07 23:11:16 fork failed for TLS check
2016-12-07 23:11:16 fork failed for TLS check
2016-12-07 23:11:16 fork failed for TLS check
2016-12-07 23:11:17 fork failed for TLS check
2016-12-07 23:11:18 fork failed for TLS check
2016-12-07 23:11:18 fork failed for TLS check
2016-12-07 23:11:18 fork failed for TLS check
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
If dovecot_sni is set to 1 in directadmin.conf the script will do not work on Dovecot side, so, you must ensure you're using the latest pre-release binaries and not last stable release to have that functionality, is still not out in a stable release.

Regarding the remove, ensure you are using the dovecot.conf provided by CB, so run: /usr/local/directadmin/custombuild/build dovecot_conf

Best regards
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Dovecot has already been confirmed, i worked with DA Staff to implement it, just exim was missing.

Probably next release will have both working :)
Best regards
 

gurek

Verified User
Joined
Jul 15, 2009
Messages
6
Location
Poland
Ca crt

Hi,

why u don't add CA cert in dovecot/exim conf?

In my custom exim conf look like:

Code:
tls_privatekey=${if exists{/etc/exim.key.${tls_sni}}{/etc/exim.key.${tls_sni}}{/etc/exim.key}}
tls_certificate=${if exists{/etc/exim.cert.${tls_sni}}{/etc/exim.cert.${tls_sni}}{/etc/exim.cert}}
[B]tls_verify_certificates[/B]=${if exists{/etc/exim.cacert.${tls_sni}}{/etc/exim.cacert.${tls_sni}}{}}
Dovecot:
Code:
local_name domain.pl {
[B]ssl_ca = </etc/exim.cacert.domain.pl[/B]
ssl_cert = </etc/exim.cert.domain.pl
ssl_key = </etc/exim.key.domain.pl
}
 

Vaporizer

Verified User
Joined
Nov 7, 2014
Messages
74
Hi,

why u don't add CA cert in dovecot/exim conf?

In my custom exim conf look like:

Code:
tls_privatekey=${if exists{/etc/exim.key.${tls_sni}}{/etc/exim.key.${tls_sni}}{/etc/exim.key}}
tls_certificate=${if exists{/etc/exim.cert.${tls_sni}}{/etc/exim.cert.${tls_sni}}{/etc/exim.cert}}
[B]tls_verify_certificates[/B]=${if exists{/etc/exim.cacert.${tls_sni}}{/etc/exim.cacert.${tls_sni}}{}}
Dovecot:
Code:
local_name domain.pl {
[B]ssl_ca = </etc/exim.cacert.domain.pl[/B]
ssl_cert = </etc/exim.cert.domain.pl
ssl_key = </etc/exim.key.domain.pl
}
I think you are confusing some things here. Those parameters, tls_verify_certificates and ssl_ca, are both for client certificate verification and should only be used if you want clients to log in using a specific certificate. Otherwise your clients can't log in using regular authentication.
My script, and the other parameters used, are for the server certificate and already use the CA and intermediate certs as this is contained in the .cert.combined file.
 

hci

Verified User
Joined
Jun 15, 2004
Messages
333
I really want all this built into Directadmin myself with a simply howto. Smartphones really don't like lack of signed certificates.
 

tristan

Verified User
Joined
Feb 11, 2005
Messages
430
Location
The Netherlands

swisshuttles

Verified User
Joined
Jul 5, 2016
Messages
11
Exim with SNI on DA 1.51.2

Hi Vaporizer you have really done a excellent job!

I'm trying to get everything to work with DA version 1.51.2 on CentOs. Did everything the post said. Dovecot works fine but exim doesn't. Exim is still serving the old server signed certificate despite the changes I've made in exim.conf and the certifcates which are at the right place. Checked everything twice but everything seems to be ok. Just don't have a clue.

Am I right when I say that the exim sni future will only work on DA version 1.51.3?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Try rebuild exim with: /usr/local/directadmin/custombuild/build exim

I had a similar issue and was due to an old exim installation (not old as version, old as options that CB was using to compile it ;))

Regarding exim conf for SSL directly mantained from DA itself, there is no a release date, but the change you do will not create any issue neither if DA directly mantain it, you're just telling exim to check for all the folders ;)

Best regards
 

swisshuttles

Verified User
Joined
Jul 5, 2016
Messages
11
Thanks for your reply. Found my mistake: I had 'exim_sni=1' added to my directadmin.conf but this shouldn't be there for the code to work. Now everything works perfect. Thank you.

Use these two lines to test your configuration (Could be handy if someone would like to test his configurations):

For SMTP: openssl s_client -showcerts -servername domain.com -connect mail.domain.com:587 -starttls smtp
For IMAP: openssl s_client -showcerts -servername domain.com -connect mail.domain.com:995
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
You need to /usr/local/directadmin/custombuild/build dovecot_conf once you set dovecot_sni=1 in directadmin.conf file
This will regenerate your dovecot.conf file to get the sni certificates aswell.

Also consoider that certificate for already existing domains are not installed unless you make another request for them or, if they include mail.DOMAIN you can use this:
echo "action=rewrite&value=dovecot_sni" >> /usr/local/directadmin/data/task.queue && /usr/local/directadmin/dataskq

Best regards
 

DreyMIX

New member
Joined
Feb 26, 2017
Messages
4
Thanks, but I had already executed these commands. I tried now to re-execute them, but without result.
 

swisshuttles

Verified User
Joined
Jul 5, 2016
Messages
11
Same functionality but now on DirectAdmin itself

Hi, I was wondering if someone has figured out the same functionality for using SSL on DirectAdmin itself?

At the moment I only got SSL working on DirectAdmin used on the servername as treated at: https://help.directadmin.com/item.php?id=629

But I would like to have DirectAdmin to run on SSL thru the vhosts name of my customers. Any help?
 
Top