Scripts for Exim SNI with a (Let's Encrypt) user certificate

Mattie

Verified User
Joined
Jun 1, 2008
Messages
81
https://www.directadmin.com/features.php?id=1911
Good news, it seems official support for Exim with SNI will be in the next version and judging by the documentation it is based on my implementation :)
THANK YOU!

I recently added the dovecot feature (didn't noticed that it was pretty new) and I started looking for Exim till I found your post. In this case I will just wait till they implemented the feature :) Much more convenient then to do it myself.
 

Imtek

Verified User
Joined
Dec 11, 2005
Messages
151
Location
The Netherlands
You can only enable it, i am missing field where i can put in the certificate or even use Let's Encrypt. Maybe i am missing something?
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Once it's enable you should have on the bottom of the certificate page (if you are using DA skin or any updated skin) where you can select which certificate is for the mail use.
 

Imtek

Verified User
Joined
Dec 11, 2005
Messages
151
Location
The Netherlands
Weird, i only get select boxes and my web certificate field. Is it not possible to use Let's Encrypt for this? I don't use any custom skin. I guess the enhanced skin is update on every update? Maybe i need to run the beta of DA instead of the latest release.
 

hci

Verified User
Joined
Jun 15, 2004
Messages
333
I have a directadmin server I installed about a year ago on centos 7. It was an upgrade to a centos 5 or 6 machine. I have only done the yum updates to it. Is there a how too on enabling signed SSL for email? It has many many email accounts and iphones etc complain.
 

elvinas

Verified User
Joined
Jun 11, 2018
Messages
7
Hi,

I followed the instructions in here https://www.directadmin.com/features.php?id=2019
But it still does not work for me.
The task `echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue` does not add anything to /etc/snidomains/ and/or to /etc/dovecot/conf/sni.


I don't know if it is related but when I generate a new Let's Encrypt certificate at the DA SSL page, at the end of the log I see this message:

Cannot find the dovecot_sni.conf template.

After initial certificate creation in DA SSL page the /etc/snidomains/ was updated with the domain but the /etc/dovecot/conf/sni folder is still empty.
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Have you restared DirectAdmin after you set mail_sni=1?
Have you tried to rewrite dovecot configuration? /usr/local/directadmin/custombuild/build dovecot_conf

Best regards
 

whitehat

Verified User
Joined
Jan 20, 2005
Messages
26
Location
Pennsylvania, U.S.
Into my 15th year here on/with DA. I rarely post as I am not lazy and am willing to search 100's of posts to find what I need; I do not want to add unnecessary noise. But here I must go, making my first post in probably nine or ten years. I'm sorry to drag up an old thread, but this thread still seems like it is the appropriate place for me to post this.

I am search/googled whipped and weary. Trying to find my answer here at DA on my issue makes me feel as if I'm like a dog chasing its tail: Old answers that point to new answers that point to older answers that point to newer older answers that point to older older answers, etc, ad nauseum. .

End of bitch - Let's Begin: I have a current server on which I am running an older version of DA. (As background info - I am not going to update it for a while for My reasons). Three weeks ago, I added a new virgin box, installed with DA 1.55, to which I added three users for testing purposes. DNS is correct for all domains, including mx, PTRs, DKIM, etc. For the most part, all has gone well. Except: Exim and Dovecot. I cannot get exim/dovecot to pull the appropriate certificates for mail for the domains; only the server certificate is being used, whether inbound or outbound.

Let's Encrypt certificates are installed for all users.

DA conf contains value of mail_sni=1.

Files /etc/virtual/snidomains, /etc/virtual/domainowners, and /etc/virtual/domains exist and contain all the proper information, owner/grp is mail, permissions 640 (rw-r).

Folder /etc/dovecot/conf/sni/ list all the domains (all owned by root, fwiw).

All user certificate information seems to be in order in each /usr/local/directadmin/data/users/USERNAME/domains/.

Exim and exim conf are the latest versions.

My only change to exim.conf was to replace "tls_on_connect_ports = 465" with: tls_on_connect_ports = 465:587

and to the file /etc/exim.variables.conf.custom, I added these lines:

Code:
auth_advertise_hosts = ${if or { {eq {$received_port}{465}} {eq {$received_port}{587}} } {*}{}}

tls_certificate=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.cert.combined}{/etc/exim.cert}}

tls_privatekey=${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}message_size_limit=50M
Even though the DA install was done only three weeks ago, I know I needed to use CB2: /usr/local/directadmin/custombuild/build exim and dovecot confs, which, of course, incorporated my custom variables into /etc/exim.variables.conf .

Restart exim, restart dovecot. Nothing different.

I am at my wit's end. I am asking for a simple yet detailed answer -> as of DA 1.55, Just what does it take to get DA's versions of exim/dovecot to make use the domain certificate and NOT the server certificate. It really should not be this hard. What have I missed? What am I missing? And rhetorically speaking, Why isn't this a part of DA?

Thanks in advance to any of you who help without clutter.

Mike Brown
 

SeLLeRoNe

Super Moderator
Joined
Oct 9, 2004
Messages
6,794
Location
A Coruña, Spain
Hi Mike,

First thing first, this is part of DA, otherwise you would have to go even more crazy, trust me :D

Did you rewrite confs once you enabled mail_sni?

First thing I would try is this:
Code:
sed -i "s/mail_sni=.*/mail_sni=1/" /usr/local/directadmin/conf/directadmin.conf
service directadmin restart
/usr/local/directadmin/custombuild/build set dovecot_conf yes
/usr/local/directadmin/custombuild/build set eximconf_release 4.5
/usr/local/directadmin/custombuild/build set eximconf yes
/usr/local/directadmin/custombuild/build set blockcracking yes # THIS MIGHT BE NOT REALLY REQUIRED
/usr/local/directadmin/custombuild/build set easy_spam_fighter yes # THIS MIGHT BE NOT REALLY REQUIRED
/usr/local/directadmin/custombuild/build dovecot_conf
/usr/local/directadmin/custombuild/build exim_conf
/usr/local/directadmin/custombuild/build rewrite_confs
I know is not a simple and detailed answer, but really for those thing unless you have a crystal ball.. it's quite impossible to know the problem without log into the server :)

One thing actually, make sure that the user's level domain (for each of those 3 users) have the SSL option enabled, I don't mean the user' account, but the domain configuration.

Let me know

Andrea
 

whitehat

Verified User
Joined
Jan 20, 2005
Messages
26
Location
Pennsylvania, U.S.
Wow. That was fast.

Thanks, Andrea.

:::::: am looking for salt and pepper to place upon the crow I am eating :::::::::

Your answer was simple, detailed, and uncluttered. And it worked for me. I'm not sure what I missed, but that is immaterial now. Apparently I must have skipped one of your steps in my previous work. A self-inflicted error, but maybe someone else will benefit from these last posts.

Now that that was solved ( I have confirmed the ehlo), with the conf changes and restarts, I'm now getting ssl errors from mail being sent by an authorized user through exim: from my exim mainlog:

TLS error on connection from bogus_IP [111.111.111.111] (SSL_CTX_use_PrivateKey_file file=/etc/exim.keydisable_ipv6=true): error:02001002:system library:fopen:No such file or directory

I have ip6 disabled for now on the server... the fun never ends, does it? :p I am off to solve this current exim problem.

In my opinion, "Simple yet Detailed" is not any oxymoron. Your quick and direct suggestion is proof.

Many thanks again for taking your time for me.

Mike Brown


[My Edit: This last problem was also self inflicted. I had inadvertently deleted " disable_ipv6=true " from the conf files. Edit, add, restart. Voila! Problem solved. /Edit]
 
Last edited:
Top