[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Hello, I'm using dovecot v2.0.21. According to http://wiki2.dovecot.org/SSL/DovecotConfiguration,dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work. When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.----------------------------------------------------------------------------Here is the my dovecot.conf:# 2.0.21: /etc/dovecot/dovecot.conf# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final) auth_master_user_separator = *auth_mechanisms = PLAIN LOGINdict { acl = mysql:/etc/dovecot/dovecot-share-folder.conf quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf}first_valid_uid = 2000last_valid_uid = 2000listen = *log_path = /var/log/dovecot.logmail_gid = 2000mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/mail_plugins = quotamail_uid = 2000managesieve_notify_capability = mailtomanagesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihavenamespace { inbox = yes location = prefix = separator = / type = private}namespace { list = children location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u prefix = Shared/%%u/ separator = / subscriptions = yes type = shared}passdb { args = /etc/dovecot/dovecot-mysql.conf driver = sql}passdb { args = /etc/dovecot/dovecot-master-users-password driver = passwd-file master = yes}plugin { acl = vfile acl_shared_dict = proxy::acl auth_socket_path = /var/run/dovecot/auth-master autocreate = INBOX autocreate2 = Sent autocreate3 = Trash autocreate4 = Drafts autocreate5 = Junk autosubscribe = INBOX autosubscribe2 = Sent autosubscribe3 = Trash autosubscribe4 = Drafts autosubscribe5 = Junk quota = dict:user::proxy::quotadict quota_rule = *:storage=1G quota_warning = storage=85%% quota-warning 85 %u quota_warning2 = storage=90%% quota-warning 90 %u quota_warning3 = storage=95%% quota-warning 95 %u sieve = /%Lh/sieve/dovecot.sieve sieve_dir = /%Lh/sieve sieve_global_dir = /var/vmail/sieve sieve_global_path = /var/vmail/sieve/dovecot.sieve}protocols = pop3 imap sieveservice auth { unix_listener /var/spool/postfix/dovecot-auth { group = postfix mode = 0666 user = postfix } unix_listener auth-master { group = vmail mode = 0666 user = vmail } unix_listener auth-userdb { group = vmail mode = 0660 user = vmail }}service dict { unix_listener dict { group = vmail mode = 0660 user = vmail }}service imap-login { process_limit = 500 service_count = 1}service pop3-login { service_count = 1}service quota-warning { executable = script /usr/local/bin/dovecot-quota-warning.sh unix_listener quota-warning { group = vmail mode = 0660 user = vmail }}ssl = requiredssl_cert =
Sorry for the mess, forgot to change the formatting to plain text.
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration, dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's.
Here is the my dovecot.conf:
# 2.0.21: /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-358.6.2.el6.x86_64 x86_64 CentOS release 6.4 (Final)
auth_master_user_separator = *
auth_mechanisms = PLAIN LOGIN
dict {
acl = mysql:/etc/dovecot/dovecot-share-folder.conf
quotadict = mysql:/etc/dovecot/dovecot-used-quota.conf
}
first_valid_uid = 2000
last_valid_uid = 2000
listen = *
log_path = /var/log/dovecot.log
mail_gid = 2000
mail_location = maildir:/%Lh/Maildir/:INDEX=/%Lh/Maildir/
mail_plugins = quota
mail_uid = 2000
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
inbox = yes
location =
prefix =
separator = /
type = private
}
namespace {
list = children
location = maildir:/%%Lh/Maildir/:INDEX=/%%Lh/Maildir/Shared/%%u
prefix = Shared/%%u/
separator = /
subscriptions = yes
type = shared
}
passdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
passdb {
args = /etc/dovecot/dovecot-master-users-password
driver = passwd-file
master = yes
}
plugin {
acl = vfile
acl_shared_dict = proxy::acl
auth_socket_path = /var/run/dovecot/auth-master
autocreate = INBOX
autocreate2 = Sent
autocreate3 = Trash
autocreate4 = Drafts
autocreate5 = Junk
autosubscribe = INBOX
autosubscribe2 = Sent
autosubscribe3 = Trash
autosubscribe4 = Drafts
autosubscribe5 = Junk
quota = dict:user::proxy::quotadict
quota_rule = *:storage=1G
quota_warning = storage=85%% quota-warning 85 %u
quota_warning2 = storage=90%% quota-warning 90 %u
quota_warning3 = storage=95%% quota-warning 95 %u
sieve = /%Lh/sieve/dovecot.sieve
sieve_dir = /%Lh/sieve
sieve_global_dir = /var/vmail/sieve
sieve_global_path = /var/vmail/sieve/dovecot.sieve
}
protocols = pop3 imap sieve
service auth {
unix_listener /var/spool/postfix/dovecot-auth {
group = postfix
mode = 0666
user = postfix
}
unix_listener auth-master {
group = vmail
mode = 0666
user = vmail
}
unix_listener auth-userdb {
group = vmail
mode = 0660
user = vmail
}
}
service dict {
unix_listener dict {
group = vmail
mode = 0660
user = vmail
}
}
service imap-login {
process_limit = 500
service_count = 1
}
service pop3-login {
service_count = 1
}
service quota-warning {
executable = script /usr/local/bin/dovecot-quota-warning.sh
unix_listener quota-warning {
group = vmail
mode = 0660
user = vmail
}
}
ssl = required
ssl_cert =
Here are my certs permissions, just in case:
[root@epm certs]# ll /etc/ssl/comodo.ca.crt
-rw-r--r-- 1 root root 6668 Sep 14 21:51 /etc/ssl/comodo.ca.crt
[root@epm certs]# ll /etc/pki/tls/certs/nourcc.com.pem
-rw-r--r-- 1 root root 1801 Sep 10 00:00 /etc/pki/tls/certs/nourcc.com.pem
[root@epm certs]# ll /etc/pki/tls/private/nourcc.com.key
-rw------- 1 root root 1708 Sep 15 19:37 /etc/pki/tls/private/nourcc.com.key
Here is my openssl test output: $ openssl s_client -connect nourcc.com:pop3s CONNECTED(00000003) depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root@epm.nourcc.com verify error:num=18:self signed certificate verify return:1 depth=0 C = SY, O = epm.nourcc.com, OU = IT, CN = epm.nourcc.com, emailAddress = root@epm.nourcc.com verify return:1 .......................... blah blah blah .........................
so I'm not sure, is there a certain way for doing it that I overlooked?
Thanks.
Am 15.09.2013 23:45, schrieb Shadi Habbal:
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration, dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's
you did read "With client TLS SNI (Server Name Indication) support" and "Different certificates per IP and protocol"
http://en.wikipedia.org/wiki/Server_Name_Indication
on POP3s (995) you have *most likely* no SNI and even with STATTLS only less chances to work relieable with different clients which is also part of the documentation you refer to
why do people waste their time with such useless things instead setup "mail.yourcompany.tld" and tell every user exactly tjis hostname?
servernames in case of *email* are worthless becasue you do not have different document roots
Simply put, didn't know it was a limitation of POP3s. Note taken.
Thanks
Date: Mon, 16 Sep 2013 00:09:46 +0200 From: h.reindl@thelounge.net To: dovecot@dovecot.org Subject: Re: [Dovecot] Dovecot replies with default SSL certificate instead of the vhost's
Am 15.09.2013 23:45, schrieb Shadi Habbal:
I'm using dovecot v2.0.21.
According to http://wiki2.dovecot.org/SSL/DovecotConfiguration, dovecot 2.x supports different SSL certificate for different virtual hosts by using "local_name" directive, but I can't get it to work.
When testing the certificate using "openssl s_client -connect domain.com:pop3s" I get the default certificate instead of domain.com's
you did read "With client TLS SNI (Server Name Indication) support" and "Different certificates per IP and protocol"
http://en.wikipedia.org/wiki/Server_Name_Indication
on POP3s (995) you have *most likely* no SNI and even with STATTLS only less chances to work relieable with different clients which is also part of the documentation you refer to
why do people waste their time with such useless things instead setup "mail.yourcompany.tld" and tell every user exactly tjis hostname?
servernames in case of *email* are worthless becasue you do not have different document roots
Hi,
why do people waste their time with such useless things instead setup "mail.yourcompany.tld" and tell every user exactly tjis hostname?
Could also bei simplefied by using AutoDiscovery (MS) or autoconfig (Thunderbird, Evolution).
e.g. by setting up www.automx.org.
servernames in case of *email* are worthless becasue you do not have different document roots
Could be different "mail document roots", e.g. a distinct user base with different backends for each hostname :)
Best regards,
Anton
--
ADIT Systems Anton Dollmaier, M.Sc. Im Moos 22 84323 Massing Telefon: +49-8724-3949990 (Mo-Sa, 10:00-20:00 Uhr, dt. Festnetz) Telefax: +49-8724-3949999
Umsatzsteuer-ID: DE221493781
Twitter: http://twitter.com/ADITSystems Blog: http://blog.aditsystems.de/ Facebook: http://www.facebook.com/ADITSystems
KundenCenter: https://kunden.aditsystems.de/kc/ Wiki: https://kunden.aditsystems.de/wiki/
After some digging, Subject Alternative Names (SANs) is the way to have one certificate which holds many domain names in the SubjectAltNames field.
Here is a script to generate a CSR that holds different SANs: http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
For more information: http://wiki.cacert.org/CSRGenerator
You can then have a certificate signed by CaCert for free, or any other vendor, like Comodo (UC Certificate).
If you want free cert, join the CaCert community> login to your acct> Add Domains that you own to the authorized list> Under server certificates click New and place your CSR> Submit and get your certificate.
Unfortunately there is no "paid" UC certificate free trial to test it in real world.
If you have more comments/thoughts on that, let us know. Shadi
Am 16.09.2013 13:33, schrieb Shadi Habbal:
After some digging, Subject Alternative Names (SANs) is the way to have one certificate which holds many domain names in the SubjectAltNames field Here is a script to generate a CSR that holds different SANs: http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
that's nice but not practically useable you hardly can add a SAN everytime you get a new domain
the main question remains:
- why is anybody doing this?
- "the user wants "mail.hisdomain.tld" is *not* a valid reason and should lead to explain the user the stupidity of doing so for no benefit
On 2013-09-16 13:36, Reindl Harald wrote:
Am 16.09.2013 13:33, schrieb Shadi Habbal:
After some digging, Subject Alternative Names (SANs) is the way to have one certificate which holds many domain names in the SubjectAltNames field Here is a script to generate a CSR that holds different SANs: http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
that's nice but not practically useable you hardly can add a SAN everytime you get a new domain
It works perfectly for small time setups. Indeed, not scalable after a few hundreds domains, but for private/small setups it works quite fine.
the main question remains:
- why is anybody doing this?
Because IPv4 addresses are running out (or harder/pricy to get) and not all clients on IPv4 yet and thus you will have to have multiple certs on a single IP instead of an IP each per cert.
Yep, with IPv6 you can easily go back to the old model... but unless one does per-IP acl/ratelimits/filtering/etc why bother?
- "the user wants "mail.hisdomain.tld" is *not* a valid reason and should lead to explain the user the stupidity of doing so for no benefit
I don't see anything "stupid" about this. It is so much easier to explain to a user "your email is xxx@example.com, your mail client does the rest" than "oh, you need to use this mail server and that here and that there".
Thunderbird (and likely other clients) autoconfigure by guessing {mail|smtp|imap}.<domain> and thus a proper cert is nice to have there instead of "warning untrusted mail.example.net!" everytime.
Thus it might not be suited for your use, it is definitely very useful for other people.
Greets, Jeroen
@Jeroen: very well explanation, thank you very much.
The company I work for rented a VPS through digitalocean.com, and DO don't yet provide more than 1 IP per droplet (vps).
The company have few domains with few services, but, different business types and different associates. They can't really be called a company since I'm working for one of the associates but trying to serve all their requirements).
Ofcourse I can still pick up a semi random domain name and make it primary for services that don't support SNI, much like shared hosting companies, but that means I'll have to walk with every non-techie user on how to configure their mail client, their iPhone, their Android, ...
I've seen old mobile devices (like Nokia 5800) showing warnings about the certificate every time it tries to sync mail, even if you tell it to ignore that warning and never bother with it again; but it keep showing it either way, which is very annoying on every sync.
Jeroen's reply pretty much sums up the reasons behind the need for different SSL certificates on a single IP.
Regards.
Am 16.09.2013 13:52, schrieb Jeroen Massar:
On 2013-09-16 13:36, Reindl Harald wrote:
the main question remains:
- why is anybody doing this?
Because IPv4 addresses are running out (or harder/pricy to get) and not all clients on IPv4 yet and thus you will have to have multiple certs on a single IP instead of an IP each per cert
the main question was why deal with different server names at all and not about IPv4 and how many IP addresses you get
"mail.hosting-company.tld" with a certificate, PTR-record and A-Record and you are done for 100, 1000, 10000, 100000 domains
- "the user wants "mail.hisdomain.tld" is *not* a valid reason and should lead to explain the user the stupidity of doing so for no benefit
I don't see anything "stupid" about this. It is so much easier to explain to a user "your email is xxx@example.com, your mail client does the rest" than "oh, you need to use this mail server and that here and that there".
really?
you need to privide the user his username and password anyway so no there is no magical configuration at all so what makes it hard to write one line more?
- mailserver: mail.hosting-company.tld
- username: you@yourdomain.tld
- password: yourpassword
Thunderbird (and likely other clients) autoconfigure by guessing {mail|smtp|imap}.<domain> and thus a proper cert is nice to have there instead of "warning untrusted mail.example.net!" everytime
"mail.example.net" does not need to exist at all https://wiki.mozilla.org/Thunderbird:Autoconfiguration
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 16 Sep 2013, Reindl Harald wrote:
the main question was why deal with different server names at all and not about IPv4 and how many IP addresses you get
because many companies want to show up as single entity and some users are believed to get worried, if they shall use other sites, esp. because you've trained them to _not_ trust sites other than your company's ones.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUjcAGF3r2wJMiz2NAQLrnwgAh6i66cbGPuY2x6HbwfjwJHp+2wd/f+wn 2ltdeQCL6WANNVeGavr1i7Bmbt+sJIQIw5ZLRobedhYFwrKj38MKemXs4V8HTMm8 i6aIrMlTakkmJAFYZMFavuqUdFceYV+jrOTazBLJ/1/G8Vd3YZyGerASVsDicSge 3+mDiGkJ3O4sl2qilJ3HSpJLy9Ec+G/N7SfkI4XK/KEhNKJcqc0i/J8Dgz3qXWkc F5ja51ToSe4d0TenHIwSXNyPxildGXdtVdQ5QkQ7smEzTsvkx9UAXXDIkUwCzi7h iFASB9T4A0Jutk1HxnNiRq3CtnDg0fRu33w6DDXFqysWsYBkRM1v7Q== =kjA8 -----END PGP SIGNATURE-----
participants (5)
-
Anton Dollmaier
-
Jeroen Massar
-
Reindl Harald
-
Shadi Habbal
-
Steffen Kaiser