My activities New request

contact atmail support

PH: +61 (7) 5357-6605

support@atmail.com

Follow

Multiple SSL certs with Dovecot & Exim

Dominic -

PROBLEM

How do i use multiple SSL certs for Dovecot and Exim?

ENVIRONMENT

  • On-Premises Server: Version 7.7+

CAUSE
Default configurations only allow for one pair of SSL certificates.

PRESUMPTIONS

Two or more domains requiring SSL certificates. This document will use the following domains for our examples:

  • dog.com
  • fish.com

If you would like to use self-signed certificates, these can be generated using this documentation.

RESOLUTION

Note: The multi-cert implementation will only work with clients whom advertise SNI. Otherwise the default certificate will be provided by the server.


For my certs, i have used the form of domain.com.key/pem.

Please take note of the following permissions and ownerships.

Contents and naming conventions for private/*.key.

  • permissions = chmod 644 dog.com.pem
  • ownership = chown atmail:root dog.com.pem
[root@7802 ~]# ll /usr/local/atmail/mailserver/ssl/private/
total 20
-rw-r--r-- 1 atmail root 1675 May 18 12:30 dog.com.key
-rw------- 1 atmail root  912 May 16 08:04 dovecot.key
-rw-r--r-- 1 atmail root 1679 May 18 12:17 fish.com.key
-rw-r--r-- 1 atmail root  951 May 16 08:01 smtp.key
-rw-r--r-- 1 atmail root  887 May 16 08:01 smtpserver.key

Contents and naming conventions for certs/*.pem.

[root@7802 ~]# ll /usr/local/atmail/mailserver/ssl/certs/
total 12
-rw-r--r-- 1 atmail root 1350 May 18 12:30 dog.com.pem
-rw-r--r-- 1 atmail root 1046 May 16 08:04 dovecot.pem
-rw-r--r-- 1 atmail root 1350 May 18 12:16 fish.com.pem

Exim

Open your Exim configuration:

[root@7802 ~]# vi /usr/local/atmail/mailserver/configure

Find the following section:

#<TLSSMTP>
# Enable Exim TLS
tls_advertise_hosts = *
log_selector = +all
tls_certificate=/usr/local/atmail/mailserver/ssl/certs/dovecot.pem
tls_privatekey=/usr/local/atmail/mailserver/ssl/private/dovecot.key
#</TLSSMTP>

Change to:

#<TLSSMTP>
# Enable Exim TLS
tls_advertise_hosts = *
log_selector = +all
tls_privatekey = ${if exists{/usr/local/atmail/mailserver/ssl/private/${tls_sni}.key}{/usr/local/atmail/mailserver/ssl/private/${tls_sni}.key}{/usr/local/atmail/mailserver/ssl/private/dovecot.key}}
tls_certificate = ${if exists{/usr/local/atmail/mailserver/ssl/certs/${tls_sni}.pem}{/usr/local/atmail/mailserver/ssl/certs/${tls_sni}.pem}{/usr/local/atmail/mailserver/ssl/certs/dovecot.pem}}
#</TLSSMTP>

Dovecot

Open your dovecot configuration:

[root@7802 ~]# vi /usr/local/atmail/mailserver/etc/dovecot/dovecot.conf

Find the following section:

#<DOVECOT_SSL_CERT>
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dovecot.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/dovecot.key
#</DOVECOT_SSL_CERT>

#<SSL_DISABLE>
ssl = yes
#</SSL_DISABLE>

Change to represent the below. Each domain requires specification of cert and keys:

#<DOVECOT_SSL_CERT>
local_name dog.com {
  ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dog.com.pem
  ssl_key = </usr/local/atmail/mailserver/ssl/private/dog.com.key
}
local_name fish.com {
  ssl_cert = </usr/local/atmail/mailserver/ssl/certs/fish.com.pem
  ssl_key = </usr/local/atmail/mailserver/ssl/private/fish.com.key
}
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dovecot.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/dovecot.key
#</DOVECOT_SSL_CERT>

#<SSL_DISABLE>
ssl = yes
#</SSL_DISABLE>

Save configuration and restart atmail:

[root@7802 ~]# /etc/init.d/atmailserver restart

Testing

Check the services are running:

[root@7802 ~]# ss -tlpn | grep "143\|587"
LISTEN     0      20           *:587                      *:*                   users:(("exim",pid=2649,fd=5))
LISTEN     0      100          *:143                      *:*                   users:(("dovecot",pid=2654,fd=39))
LISTEN     0      100         :::143                     :::*                   users:(("dovecot",pid=2654,fd=40))

While testing, it may be helpful to tail the corresponding logs:

  • Exim: tail -f /usr/local/atmail/mailserver/spool/log/mainlog
  • Dovecot: tail -f /usr/local/atmail/mailserver/spool/log/dovecot_info_log

Testing Exim

fish.com

$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -servername fish.com -tlsextdebug
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
   i:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com

dog.com

$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -servername dog.com -tlsextdebug
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
   i:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com

no domain specified

Server provides default dovecot.pem/key

$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -tlsextdebug 
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
   i:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost

Testing Dovecot

fish.com

$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -servername fish.com -tlsextdebug
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
   i:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com

dog.com

$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -servername dog.com -tlsextdebug 
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
   i:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com

no domain specified

Server provides default dovecot.pem/key

$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -tlsextdebug 
CONNECTED(00000003)

TRUNCATED OUTPUT....

Certificate chain
 0 s:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
   i:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost

SUMMARY
Dovecot and Exim should now both serve up appropriate SSL certificates based on the clients SNI. If the client fails to provide an SNI, the default certificates will be served.

Have more questions? Submit a request

Comments