Submitted by rsecor on Mon, 02/10/2020 - 12:19
My understanding is that Virtualmin will set up Dovecot to allow for SSL Certificates for different domains.
The Dovecot Configuration shows many "local_name" directives that appear to connect to the correct SSL Certs and Keys.
However, when I try and connect to any of them only the first certificate in the configuration file shows up.
How would I go about making this work as expected?
On a side note I did some digging and found that instead of:
local_name mail.example.com {
}
local_name imap.example.com {
}
It appears that as long as both use the same SSL Certificate and SSL Key you can actually do:
local_name "mail.example.com imap.example.com" {
}
Status:
Fixed (pending)
Comments
Submitted by JamieCameron on Tue, 02/11/2020 - 01:18 Comment #1
What command are you testing the connection with? If it's the
opensslcommand, you need to set the-servernameflag to specify the hostname for SNI.Submitted by rsecor on Tue, 02/11/2020 - 11:20 Comment #2
Using:
openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com
It appears to give the cert for the host itself instead of the one associated with mail.example.com in the config.
Submitted by rsecor on Tue, 02/11/2020 - 15:07 Comment #3
I tried the following:
I manually commented out all the local_name directives and found that it still gave out the SSL from the hostname of the server.
I tried enabling only the "local_name mail.example.com" section and OpenSSL shows the right certificate coming out (which has example.com -- and should have mail.example.com within it somewhere). However, Apple Mail does not see it (and I was pretty sure that Apple Mail does SNI).
I haven't had time to check any other clients.
Submitted by rsecor on Tue, 02/11/2020 - 15:42 Comment #4
I probably should mention:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic
Dovecot v2.3.9.2 (cf2918cac).
Submitted by rsecor on Tue, 02/11/2020 - 15:42 Comment #5
Removed duplicate message.
Submitted by rsecor on Tue, 02/11/2020 - 15:57 Comment #6
# dovecot -n# 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf
# OS: Linux 4.15.0-20-generic x86_64 Ubuntu 18.04.4 LTS
# Hostname: server.example.com
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix =
}
passdb {
driver = pam
}
protocols = " imap pop3"
ssl_ca = </etc/dovecot/dovecot.key.ca
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
driver = passwd
}
local_name server.example.com {
ssl_cert = </home/server.example.com/ssl.cert
ssl_key = # hidden, use -P to show it
}
local_name mail.server.example.com {
ssl_cert = </home/server.example.com/ssl.cert
ssl_key = # hidden, use -P to show it
}
local_name mail.example.com {
ssl_cert = </home/example.com/ssl.cert
ssl_key = # hidden, use -P to show it
}
Submitted by JamieCameron on Wed, 02/12/2020 - 22:57 Comment #7
If you restart Dovecot, does it start successfully?
Submitted by rsecor on Thu, 02/13/2020 - 09:59 Comment #8
Yes.
But now I have done so many changes it is not even giving out any SSL Information.
Any suggestions on completely resetting the configs for Dovecot?
I am installing another system just to grab the configs.
Submitted by rsecor on Thu, 02/13/2020 - 11:08 Comment #9
I grabbed the base installed configs for Dovecot from a new install.
What would be the correct way to get the SSL certs to show back up in the config for the SNI on the domains?
Answer: Re-ask for the SSL Certificate from Let's Encrypt. That will re-create what is needed in the config.
Submitted by rsecor on Thu, 02/13/2020 - 11:47 Comment #10
If you want SNI to work in Dovecot then...
DO NOT click on "Copy to Dovecot" as it adds some items to the Dovecot config.
These two items are "ssl_ca" and "ssl_cipher_list" appear to cause issues for SNI when not encapsulated in a "local_name" directive.
After commenting those two extra back out it seems to give the correct Certificates out based on names given.
However, both Apple Mail Version 13.0 (3608.60.0.2.5) and Microsoft Outlook 2001 (Build 12430.20184) from Microsoft Office Professional Plus 2016 still are not receiving the correct SSL Cert.
Side note: Dovecot restarts fine.
Thanks for the feedback.
There were few patches done in this regard. We expect it to be fixed upon next Virtualmin release.
The other work-around would be is to disable and then enable SSL webiste feature under Edit Virtual Server/Enable Features.
I will talk to Jamie, if this can be improved somehow and the check would be run simply on Save Virtual Server or better on Validate Virtual Servers.
Submitted by rsecor on Fri, 02/14/2020 - 11:32 Comment #13
I am still not sure why but even though OpenSSL shows the correct certificate when I test it, neither Apple Mail nor Outlook seem to be getting the right one. And I am pretty sure they both support SNI.
Does the certificate include the name you are using to connect to your IMAP (Dovecot) server? Like, imap.mydomain.com, the one you put on Apple Mail or Outlook?
Have you tried other mail programs, like Thunderbird?
Submitted by rsecor on Fri, 02/14/2020 - 15:34 Comment #15
Yes, it includes the FQHN... I will check on Thunderbird when I have a moment.