Copying SSL to Dovecot for one virtual server changes certificate for all?

Submitted by crewmark on Thu, 01/05/2017 - 20:13 Pro Licensee

I've got numerous virtual servers, some with SSL certs, some without. When I copy the certificate to Dovecot in one virtual server, all the other virtual servers with SSL certificates change their Dovecot certificate settings to the one I've just copied. This creates a problem when trying to receive emails as the email browser errors, saying the certificate is from another site. I'm copying the certificate details by selecting the virtual server then Server Configuration --> Manage SSL Certificate --> Current Certificate | Copy to Dovecot

Any ideas why it changes globally instead of locally?

Status: 
Active

Comments

Submitted by andreychek on Thu, 01/05/2017 - 22:09

Howdy -- unfortunately, Apache is the only service on your system that can have more than one SSL certificate per IP address.

For services such as Dovecot, it only supports one SSL certificate per IP address on your server.

That means that if your domains are sharing an IP address, they'd also need to share an SSL certificate in Webmin, Dovecot, and Usermin.

Submitted by crewmark on Thu, 01/05/2017 - 22:23 Pro Licensee

I have multiple IP addresses. If I set up the cert on a shared IP address then copy to Dovecot it changes it globally (ie to all IP addresses, even those with SSL certs). If I try to copy the Dovecot on a virtual server with it's own IP and certificate, it also changes it globally. Is there another setting somewhere that I've missed?

Submitted by crewmark on Mon, 01/09/2017 - 22:39 Pro Licensee

I'm still having this issue and can't see where the problem lies. For example, I have 3 domains with their own dedicated IP addresses and their own SSL certs (2 x LetsEncrypt 1 x AlphaSSL). When browsing to each site the correct certificate is picked up. However, whichever SSL cert I copy to Dovecot becomes the master and eliminates the others creating issues when collecting mail (ie The last SSL cert copied to Dovecot is read as the certificate for all SSL accounts even those each has their own dedicated IP). Does that help isolate the issue?

Submitted by andreychek on Tue, 01/10/2017 - 10:17

Yeah we unfortunately may need Jamie's help on this one, I'm not quite sure what's going on, that does sound like it could be a bug.

Jamie, do you have any thoughts as to what's going on with SSL in this user's setup here?

Submitted by JamieCameron on Tue, 01/10/2017 - 15:10

The "Copy to Dovecot" button will copy the domain's cert to be the default for IMAP connections. However, if you go to System Settings -> Virtualmin Configuration -> SSL settings and change "Copy per-IP SSL certificates to Dovecot?" to "Yes", any domain with SSL and it's own IP will get a separate Dovecot cert for just connections to that IP. Which sounds like what you want...

Submitted by crewmark on Tue, 01/10/2017 - 15:19 Pro Licensee

Thanks Jamie but "Copy per-IP SSL certificates to Dovecot?" is already checked as "Yes". This appears to be a continuation of a bug issue I had in March last year which we were discussing (https://www.virtualmin.com/node/40090). I had to check the "No" button for "Copy per-IP SSL certificates to Postfix?" back then as a quick fix but now that I'm adding SSL certs to the IP dedicated virtual servers, it's becoming problematic.

Submitted by JamieCameron on Tue, 01/10/2017 - 22:18

Would it be possible for you to attach your Dovecot config files to this bug report? It sounds like Virtualmin is setting up the per-IP cert wrongly, and I want to know why ..

Submitted by crewmark on Tue, 01/10/2017 - 23:06 Pro Licensee

The comments pane doesn't appear to let me attach a file. Which Dovecot config files do you want? Just the /etc/dovecot/dovecot.conf one? I could just copy & paste it in if you like.

Submitted by crewmark on Thu, 01/19/2017 - 17:18 Pro Licensee

This is the dovecot.conf file. It would be good to get this one sorted.

listen = *
## Dovecot configuration file

# If you're in a hurry, see http://wiki.dovecot.org/QuickConfiguration

# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.

# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace  "

# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var

# Protocols we want to be serving.
#protocols = imap pop3 lmtp
protocols = imap pop3

# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::

# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/

# Greeting message for clients.
#login_greeting = Dovecot ready.

# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =

# Sepace separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =

# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no

# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes

# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server

##
## Dictionary server settings
##

# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".

dict {
  #quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
  #expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}

# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf

# A config file can also tried to be included without giving an error if
# it's not found:
#!include_try /etc/dovecot/local.conf

Submitted by JamieCameron on Thu, 01/19/2017 - 18:50

Can you also attach the relevant config files in /etc/dovecot/conf.d ?

Submitted by crewmark on Mon, 01/23/2017 - 23:05 Pro Licensee

Sorry, didn't see this update. Is this one you want to see? 10-ssl.conf

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
#ssl = yes
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
#ssl_ca =
ssl_ca = </etc/dovecot/dovecot.ca.pem

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# SSL protocols to use
#ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1
.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Submitted by JamieCameron on Tue, 01/24/2017 - 21:57

I'm actually looking for whichever file contains the private IP address for the domain.

Submitted by crewmark on Wed, 01/25/2017 - 15:41 Pro Licensee

There is nothing in the /etc/dovecot/conf.d dir containing the private IP? Where would I find the file you're after?

Submitted by JamieCameron on Thu, 01/26/2017 - 19:21

It doesn't sound like per-IP SSL certs are being setup at all if there is no reference to the IP address.

If you enabled SSL for the domain before changing "Copy per-IP SSL certificates to Dovecot?" to "Yes", can you try disabling and then re-enabling SSL for the domain?

Submitted by crewmark on Thu, 01/26/2017 - 21:20 Pro Licensee

No... it's weird. I've had both "Copy per-IP SSL certificates to Dovecot" & "Copy per-IP SSL certificates to Postfix" off and on and turned certs off and on but no change. With both the above "On", Under "Server Configuration/Manage SSL Certificate", if I "Copy to Dovecot" and/or "Copy to Postfix" it appears to work and states "This SSL certificate is already being used by : Dovecot, Postfix". Then I check another domain (with own IP and SSL) and it no longer has the message that the certificate is already being used. So the Copy per IP for both dovecot and postfix don't appear to be working.

Submitted by JamieCameron on Fri, 01/27/2017 - 19:27

Which version of Dovecot are you running there? This feature isn't supported on versions below 2.0.

Submitted by crewmark on Fri, 01/27/2017 - 20:06 Pro Licensee

Version 2.0.9 Would using Let's Encrypt certs on some domains create any issue with this?

Submitted by JamieCameron on Sat, 01/28/2017 - 19:52

No, Let's Encrypt shouldn't cause any problems. However, you do need each domain to have it's own IP address - unlike Apache where multiple SSL sites can share an IP, Dovecot requires that each domain that wants its own SSL cert have it's own IP.

Submitted by crewmark on Sun, 01/29/2017 - 16:16 Pro Licensee

Thanks and yes each of the domains I'm trying to set their own SSL for Dovecot and Postfix have their own IP address and own SSL cert. I've got more domains I need to set up with this too. Still researching this issue but any help still would be great,

Submitted by JamieCameron on Mon, 01/30/2017 - 00:30

I'm mystified as to what is going on here, as it sounds like you have met all the pre-conditions for copying the SSL cert to Dovecot.

Any chance we could login to your system to see what's going wrong?

Submitted by JCPGR on Mon, 01/30/2017 - 10:52

I have the same problem and didn't find how to solve it. Webmin 1.831 / Virtualmin 5.05 / Dovecot 2.2.22 / Postfix 3.1.0 / 4 IP addresses … Does it has something to do with the SSL settings in webmin configuration (Per-IP certificates) ? I also need help ! Thanks

Submitted by crewmark on Mon, 01/30/2017 - 15:22 Pro Licensee

Thanks Jamie... I think that may be the best at this point... how can I PM you the details?

Submitted by JamieCameron on Wed, 02/01/2017 - 01:23

Ok, I see the bug that causes this now. I have patched it on your system - please try disabling and enabling SSL for one domain, and let me know if that helps.

Submitted by luckyluc on Wed, 02/01/2017 - 09:25

i'm having that same issue. can you explain your solution?

thanks in advance

Submitted by JamieCameron on Wed, 02/01/2017 - 16:22

It required a code change in Virtualmin to fix - there isn't any simple work-around.

Submitted by crewmark on Thu, 02/02/2017 - 21:36 Pro Licensee

Thanks Jamie but it doesn't appear to have worked. I turned off one of the SSL certificates via Virtualmin/Services/Configure Website for SSL SSL Options and select "No" for "Enable SSL?". Restarted apache and ensured SSL on that domain was not on. Then turned it back on, restarted Apache., went to Virtualmin/Server Configuration/Manage SSL Certificate the hit "Copy to Postix". Went to the other domain and checked, Postfix was no longer being used for that server certificate. Copied to Postfix then checked the previous domain and postfix had been removed. I'll try with another domain with a fresh SSL this evening and let you know if I get any different outcome.

Submitted by crewmark on Fri, 02/03/2017 - 00:35 Pro Licensee

Just tried with a new domain, IP address and SSL cert and the same problem is happening, whichever SSL certificate dovecot or postfix is being copied to overrides the others.

Submitted by JamieCameron on Fri, 02/03/2017 - 19:58

Try not clicking "Copy to Postfix" or "Copy to Dovecot". Those buttons copy it for all IPs, but it should get automatically setup for the domain's private IP as soon as you enable SSL.

Submitted by crewmark on Sat, 02/04/2017 - 16:20 Pro Licensee

OK, I see... thanks, that seems to be creating the right certificate now but unfortunately opened a new can of worms. I set up a new domain with a new IP address with SSL activated and it prevented all other sites with own IPs and SSL activated from receiving any mail. When checking connectivity of other SSL cert virtual servers it came up with SMTP connectivity error. When I turned off SSL for the new domain the error continued. I had to disable SSL on that site in order to get the mail on the other servers running again. Site without SSL enabled were not effected?

Submitted by crewmark on Sun, 02/05/2017 - 22:14 Pro Licensee

Sorry Jamie but that didn't work either... all domains using SSL for SMTP come up with the domain I copied the postfix and dovecot from... how can I remove the default dovecot & postfix from the domain that I've copied those to?

Submitted by JamieCameron on Mon, 02/06/2017 - 20:52

If you check your Postfix config file /etc/postfix/master.cf , is there an entry for the IP address of the domain that you want to have it's own SSL cert for SMTP?

Submitted by crewmark on Tue, 02/07/2017 - 17:08 Pro Licensee

There are no IP addresses referenced in that file at all.

Submitted by crewmark on Thu, 02/16/2017 - 18:00 Pro Licensee

Any more ideas on this? At the moment one SSL cert is coming up for all domains trying to use SSL mail which is getting frustrating.

Submitted by JamieCameron on Sun, 05/07/2017 - 12:25

FYI, support for Dovecot SSL certs even for domains that don't have their own private IP will be in the next Virtualmin release.

Submitted by crewmark on Sun, 05/07/2017 - 16:26 Pro Licensee

Excellent... and I see the postfix IP issues will be fixed too... so, when's the next version due? :)

Submitted by JamieCameron on Sun, 05/07/2017 - 17:20

Couple of days, hopefully.

Submitted by des-ign on Sat, 06/17/2017 - 06:49

hello,

because this is very serius issue do we have any news?

servers are almost useless without a solution here.

Submitted by andreychek on Sat, 06/17/2017 - 08:58

I believe that should be part of Virtualmin 5.99/6.0.

We've released 5.99 to the repos a few weeks ago, does that Virtualmin version fix that issue for you?

Submitted by des-ign on Sat, 06/17/2017 - 14:02

i updated to 5.99 but nothing changed.

and we are talking for 2 different ip so is not postfix or dovecot issue.

Submitted by JamieCameron on Sun, 06/18/2017 - 11:27

Note that if you just upgraded, you will need to disabled and re-enable SSL for the domain for Dovecot to be configured.

Submitted by des-ign on Mon, 06/19/2017 - 11:00

u mean that from "edit virtual server" and after "Apache SSL website enabled?"

im sorry to ask in details but im afraid of destroying things...

Submitted by JamieCameron on Wed, 06/21/2017 - 01:04

Yes - it is quite safe to disable and re-enable the SSL feature.

Submitted by bchris999 on Tue, 09/12/2017 - 06:08

Instead of the "Copy to Dovecot" button replacing the current certificate, would it be possible to have this implement SNI?

local_name mail.example.org {

ssl_cert = </home/example.org/example.org.crt

ssl_key = </home/example.org/example.org.key

}

https://wiki.dovecot.org/SSL/DovecotConfiguration

atleast's picture
Submitted by atleast on Thu, 10/04/2018 - 00:31

on dovecot.conf adding may work? local_name dom2.com ssl_cert = </home/dom2/ssl.cert ssl_key = </home/dom2/ssl.key

Where one adds the same certi path on postfix? Any ideas. Please send any link or info on how to configure COPYING or config of SSL for dovecot and postfix?

I have enabled: Copy per-IP SSL certificates to Dovecot? Yes
Copy per-IP SSL certificates to Postfix? Yes

Submitted by JamieCameron on Sun, 10/07/2018 - 17:04

There's no equivalent of local_name on Postfix unfortunately - it only supports per-IP certs.