PROBLEM
How do i use multiple SSL certs for Dovecot and Exim?
ENVIRONMENT
- On-Premises Server: Version 7.7+
CAUSE
Default configurations only allow for one pair of SSL certificates.
PRESUMPTIONS
Two or more domains requiring SSL certificates. This document will use the following domains for our examples:
- dog.com
- fish.com
If you would like to use self-signed certificates, these can be generated using this documentation.
RESOLUTION
⚠ Note: The multi-cert implementation will only work with clients whom advertise SNI. Otherwise the default certificate will be provided by the server.
For my certs, i have used the form of domain.com.key/pem.
Please take note of the following permissions and ownerships.
Contents and naming conventions for private/*.key
.
- permissions =
chmod 644 dog.com.pem
- ownership =
chown atmail:root dog.com.pem
[root@7802 ~]# ll /usr/local/atmail/mailserver/ssl/private/
total 20
-rw-r--r-- 1 atmail root 1675 May 18 12:30 dog.com.key
-rw------- 1 atmail root 912 May 16 08:04 dovecot.key
-rw-r--r-- 1 atmail root 1679 May 18 12:17 fish.com.key
-rw-r--r-- 1 atmail root 951 May 16 08:01 smtp.key
-rw-r--r-- 1 atmail root 887 May 16 08:01 smtpserver.key
Contents and naming conventions for certs/*.pem
.
[root@7802 ~]# ll /usr/local/atmail/mailserver/ssl/certs/
total 12
-rw-r--r-- 1 atmail root 1350 May 18 12:30 dog.com.pem
-rw-r--r-- 1 atmail root 1046 May 16 08:04 dovecot.pem
-rw-r--r-- 1 atmail root 1350 May 18 12:16 fish.com.pem
Exim
Open your Exim configuration:
[root@7802 ~]# vi /usr/local/atmail/mailserver/configure
Find the following section:
#<TLSSMTP>
# Enable Exim TLS
tls_advertise_hosts = *
log_selector = +all
tls_certificate=/usr/local/atmail/mailserver/ssl/certs/dovecot.pem
tls_privatekey=/usr/local/atmail/mailserver/ssl/private/dovecot.key
#</TLSSMTP>
Change to:
#<TLSSMTP>
# Enable Exim TLS
tls_advertise_hosts = *
log_selector = +all
tls_privatekey = ${if exists{/usr/local/atmail/mailserver/ssl/private/${tls_sni}.key}{/usr/local/atmail/mailserver/ssl/private/${tls_sni}.key}{/usr/local/atmail/mailserver/ssl/private/dovecot.key}}
tls_certificate = ${if exists{/usr/local/atmail/mailserver/ssl/certs/${tls_sni}.pem}{/usr/local/atmail/mailserver/ssl/certs/${tls_sni}.pem}{/usr/local/atmail/mailserver/ssl/certs/dovecot.pem}}
#</TLSSMTP>
Dovecot
Open your dovecot configuration:
[root@7802 ~]# vi /usr/local/atmail/mailserver/etc/dovecot/dovecot.conf
Find the following section:
#<DOVECOT_SSL_CERT>
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dovecot.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/dovecot.key
#</DOVECOT_SSL_CERT>
#<SSL_DISABLE>
ssl = yes
#</SSL_DISABLE>
Change to represent the below. Each domain requires specification of cert and keys:
#<DOVECOT_SSL_CERT>
local_name dog.com {
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dog.com.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/dog.com.key
}
local_name fish.com {
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/fish.com.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/fish.com.key
}
ssl_cert = </usr/local/atmail/mailserver/ssl/certs/dovecot.pem
ssl_key = </usr/local/atmail/mailserver/ssl/private/dovecot.key
#</DOVECOT_SSL_CERT>
#<SSL_DISABLE>
ssl = yes
#</SSL_DISABLE>
Save configuration and restart atmail:
[root@7802 ~]# /etc/init.d/atmailserver restart
Testing
Check the services are running:
[root@7802 ~]# ss -tlpn | grep "143\|587"
LISTEN 0 20 *:587 *:* users:(("exim",pid=2649,fd=5))
LISTEN 0 100 *:143 *:* users:(("dovecot",pid=2654,fd=39))
LISTEN 0 100 :::143 :::* users:(("dovecot",pid=2654,fd=40))
While testing, it may be helpful to tail the corresponding logs:
- Exim:
tail -f /usr/local/atmail/mailserver/spool/log/mainlog
- Dovecot:
tail -f /usr/local/atmail/mailserver/spool/log/dovecot_info_log
Testing Exim
fish.com
$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -servername fish.com -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
i:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
dog.com
$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -servername dog.com -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
i:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
no domain specified
Server provides default dovecot.pem/key
$ openssl s_client -starttls smtp -crlf -connect 192.168.10.184:587 -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
i:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
Testing Dovecot
fish.com
$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -servername fish.com -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
i:/C=AU/ST=QLD/L=PB/O=11/OU=11/CN=7802/emailAddress=admin@fish.com
dog.com
$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -servername dog.com -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
i:/C=AU/ST=WOOF/L=BORK/O=BARK/OU=RUFF/CN=GROWL/emailAddress=HOWL@WOOF.com
no domain specified
Server provides default dovecot.pem/key
$ openssl s_client -starttls imap -crlf -connect 192.168.10.184:143 -tlsextdebug
CONNECTED(00000003)
TRUNCATED OUTPUT....
Certificate chain
0 s:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
i:/C=MW/ST=Earth/L=City/O=Automatically-generated SSL/OU=IMAP server/CN=localhost/emailAddress=postmaster@localhost
SUMMARY
Dovecot and Exim should now both serve up appropriate SSL certificates based on the clients SNI. If the client fails to provide an SNI, the default certificates will be served.
Comments