Multiple domains and email certificate issues


#1

Dear All,

On the topic of email certificate issues I’ve just noticed that the following guides have been added to the Bytemark documentation library:

https://docs.bytemark.co.uk/article/enabling-sni-for-dovecot-on-symbiosis/

https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/

The guides seem to suggest that the one-time changes will overcome the issue of having to use the FQDN or a generic domain to collect mail without ssl certificate mismatch issues.

Am I correct in assuming that the guide at the link below is now superseded by the above: https://docs.bytemark.co.uk/article/adding-an-ssl-certificate/

Are my assumptions correct?

Regards Pete

Update from Bytemark:

Hi Pete,

Yes, for email certificates the older guide would be superseded, since you’d be
removing the reliance on /etc/ssl to find certificates (which could only be for one
domain), in favour of dynamically searching /srv/*/config/ssl/current/ (which can be
any domain you have setup in the /srv directory).

Just to bear in mind, if you add a new domain to your server in the future you’ll
need to run through the Dovecot guide again as it’s unfortunately not as intelligent
as Exim.

A tad unrelated, but the older guide may still prove useful if you were wanting to
change the certificate used by FTP TLS, as that’ll still rely on the /etc/ssl
directory to find a certificate.
Kind regards,

Andrew

Has anyone out there tried the new SNI guides? Are there any drawbacks?


#2

I’ve not tried the guides but just a quick comment…

Less inquisitive, I’d say. :wink:

This sounds ripe for symbiosis automagic. /etc/symbiosis/ssl-hooks.d/dovecot-sni-config rebuilds dovecot config file(s) after every ssl-update & restarts the service. The main dovecot config file includes a default cert and says something like:

!include_try /etc/dovecot/symbiosis-sites/*.conf

(I’d love to know where/why the “!” syntax arrived)

What could go wrong? :wink:


#3

I’ve just created a new SymStretch vm with the intention of implimenting SNI for Exim and Dovecot using the following guides:

https://docs.bytemark.co.uk/article/enabling-sni-for-exim-on-symbiosis/

https://docs.bytemark.co.uk/article/enabling-sni-for-dovecot-on-symbiosis/

From the outside world I find the SNI for Exim guide a little vague becasue I’m unsure whether I’m meant to replace the file /etc/exim4/symbiosis.d/00-main/50-tls-options with the extract from the guide or just edit portions of the file?

Please add some clarity Bytemark.


#4

It looks clear and well commented from here but maybe my exim bubble is stronger than I thought. It’s an ‘Edit’ – you’re adding a line for logging, changing the tls_certificate value and commenting out tls_privatekey. The rest is as-is.


#5

The SNI docs do indeed provide sufficient clarity. I now have 2 test domains sending and receiving mail without certificate issues. This is significant for me because I have needed to migrate a long standing domain and 300 email accounts from a machine running Wheezy. Having 300 email users change their in/out mail settings to reflect the FQDN or an alternative domain would have been emotional.


#6

Sounds good! Thanks for posting and path-finding.


#7

Reference to the SNI guides really needs including within the Symbiosis tech docs.


#8

Update: ignore this now, I’ve sorted it.

I’ve just raised a new thread as I couldn’t find this, or similar, threads before.

Are you saying you can use the domain name itself as the incoming/outgoing mail server, rather than the machine name?

I’ve gone through the guide for exim and it appears to have installed correctly, however if I use a domain name instead of the machine name, I get an invalid server message.

Am I expecting the wrong thing?