use SSL for mail server

[soheil.server]

I installed an SSL certificate in DA (not issued by Lets Encrypt) and it works fine for my website. but it is not used for my mail server. I ran the following script but didn't work. how to solve the issue?

cd /usr/local/directadmin echo mail_sni=1 >> conf/directadmin.conf service directadmin restart cd custombuild ./build update ./build set eximconf yes ./build set eximconf_release 4.5 ./build set dovecot_conf yes ./build exim_conf ./build dovecot_conf

when I want to use gmail to connect through SMTP on port 587 it says:

Couldn't reach server. Please double-check the server and port number.

 

[Active8]

You have read this in full ??: https://directadmin.com/features.php?id=2019

And did this ?

If you want to tell all live SSL domains to have their dovecot configs written, type; echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue echo "action=rewrite&value=mail_sni&domain=domain.com" >> /usr/local/directadmin/data/task.queue this will recreate the sni/domain.com.conf for each SSL domain, plus one for the system hostname.

It will use the /etc/virtual/domainowners, to go through each domain, each cert, and remove any existing *:user:domain.com entries from snidomains, and re-add whatever is present.

 

[soheil.server]

I also ran those 2 echo scripts, but when I want to connect through
port 587 TLS it says:

Authentication failed. Please check your username/password.
Server returned error: "TLS Negotiation failed, the certificate doesn't match the host., code: 0"

and 587 SSL:

Couldn't reach server. Please double-check the server and port number.

 

[Active8]

Any firewall in action ? want to share your (email)domain ?

 

[soheil.server]

yes but port 587/tcp is opened in firewall.

 

[gozen]

Just in case you have CSF you need to make sure that port 587 is also open for the user in request.

 

[soheil.server]

no, CSD is not installed. now I figured out that in SSl section of my DirectAdmin, it is mentioned :

Certificate Hosts: domain.com, www.domain.com

and mail.domain.com is not mentioned. is that OK?!

 

[Active8]

and mail.domain.com is not mentioned. is that OK?!

That is not ok, you must have mail.domain.com in your certificate (I'm using LE for my certificates and all have mail.domain.com in it)

 

[soheil.server]

so it seems I have forgotten to include mail.domain.com while buying my certificate! can I now use a LE certificate only for my mail server?

 

[Robbus]

Hi all, I want to use SSL for email as well, but only some users are interested in this.

I have 2 questions and I hope someone can help me with them!

1) Will old users still be able to connect as they used to without any encryption or only TLS?

I plan to do this:
Open port 465 and then add this: (https://help.directadmin.com/item.php?id=427)
daemon_smtp_ports = 25 : 587 : 465
tls_on_connect_ports = 465
It's an old article and I found that should be in the exim variables file which I need to create first.

2) Is this all you need to do for SSL encrypted email to work?

Thanks for any help,

Reg. Rob

 

[Richard G]

Hello, I will answer you via your poits.

1.) If you don't create any restrictions, yes then both old method and SSL method are available to the users
Do -not- use this help section. You better use the newest Spamblocker exim.conf 4.5.35 which already has the correct ports availableble so you don't need to change anything. Normally TLS is on port 587 and SSL is port 465 by the way.

2.) No you also have to enable mail, create certificates for it, enable mail_sni in directadmin.conf.

Version 1.52.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

You can read about creating certificates elsewhere.

 

[Active8]

From my notebook:

cd /usr/local/directadmin
echo mail_sni=1 >> conf/directadmin.conf
service directadmin restart
cd custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.5
./build set dovecot_conf yes
./build exim_conf
./build dovecot_conf

echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue
/usr/local/directadmin/dataskq d800

 

[Robbus]

Hello, I will answer you via your poits.

1.) If you don't create any restrictions, yes then both old method and SSL method are available to the users
Do -not- use this help section. You better use the newest Spamblocker exim.conf 4.5.35 which already has the correct ports availableble so you don't need to change anything. Normally TLS is on port 587 and SSL is port 465 by the way.

2.) No you also have to enable mail, create certificates for it, enable mail_sni in directadmin.conf.

Version 1.52.0 | Directadmin Docs

DirectAdmin Knowledge Base

www.directadmin.com

You can read about creating certificates elsewhere.

Thanks!
By mail you mean mail.domain.com I guess?
That one has the certificates for it already.
Will try to enable mail_sni now.

 

[Richard G]

By mail you mean mail.domain.com I guess?

Correct. And also for pop and smtp.

 

[Robbus]

Hi, thanks again and that did the trick functionally!

On his Mcbook it uses port 465 as expected. On his iPhone he cannot get it working with port 465 but it works with port 587 there.....
It works, that's the most important!
(Ports are open on the server.)

 

[ikkeben]

Hi, thanks again and that did the trick functionally!

On his Mcbook it uses port 465 as expected. On his iPhone he cannot get it working with port 465 but it works with port 587 there.....
It works, that's the most important!
(Ports are open on the server.)

Hmm check the devices and OS also the ISP's for yes or no TLS versions, ports yes or no open / or permission to use with own mail services, and cyphers and so on.

You can mabye find soms online testers to see you server and test for some protocols and ports also tls versions and cyphers.

Older devices needs older settings / configs, but also some older OS, or even newer depending..