mail_sni for dovecot and exim sni certificates

Version 1.52.0


This will replace both dovecot_sni and exim_sni, even though the functionality is roughly the same. The dovecot_sni and exim_sni options will be deprecated from the directadmin.conf, and replaced with a single option: mail_sni=0 which is the internal default. To enable it, set: mail_sni=1 and any certificate that is saved, either by pasting it through the SSL page, or created/renewed via LetsEncrypt, will trigger a write. The /etc/virtual/snidomains file should already be setup and used as the "valid cert index", and will be used to setup the dovecot domain sni config. Can also set: mail_sni=OFF in the to override domains that should not have it enabled. Related: When a signed cert and cacert are found, the file is created (similar to with nginx), and then all records in the cert are added to: /etc/virtual/snidomains - for exim to use as a lookup - if a subdomain exists in some other domain, but is also in this cert, the last one added has priority (would be a newer, valid cert anyway) /etc/dovecot/conf/sni/ - with each record in there, pointing to the correct cert. ================ REQUIREMENTS 1) OpenSSL and exim supporting SNI, usually CentOS 6 and higher. 2) Recent dovecot and ./build dovecot_conf, for support of: /etc/dovecot/conf.d/95-sni.conf /etc/dovecot/conf/sni/* 3) CustomBuild 2.0 to install the exim and dovecot configs. 4) secure_access_group=access should be enabled in the directadmin.conf, so that the certificates are chmod to 640 with group "access", so "mail" (within the access group) can read them. ================ INSTALL cd /usr/local/directadmin echo mail_sni=1 >> conf/directadmin.conf service directadmin restart cd custombuild ./build update ./build set eximconf yes ./build set eximconf_release 4.5 ./build set dovecot_conf yes ./build exim_conf ./build dovecot_conf ================ IMPORTANT: DirectAdmin will only accept valid signed certificates. If you use a self-signed certificate, or your own domain does not exist in the certificate, then DA will refuse to accept it, and won't add the values to: /etc/virtual/snidomains and will not create the dovecot sni file at: /etc/dovecot/conf/sni/ If you rename your domain to, for example, the old values are removed from snidomains, and conf/sni/, and are only re-added if the above checks are still true. Currently a certificate is only considered signed using the quick check where the Issuer and Subject values in the certificate must be different. If you have a signed certificate which DA isn't accepting, please let us know, and include the certificate and ca bundle/chain so that we can check it out. ================ TASK QUEUE To generate snidomains file: echo "action=rewrite&value=snidomains" >> /usr/local/directadmin/data/task.queue If you want to tell all live SSL domains to have their dovecot configs written, type; echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue echo "action=rewrite&value=mail_sni&" >> /usr/local/directadmin/data/task.queue this will recreate the sni/ for each SSL domain, plus one for the system hostname. It will use the /etc/virtual/domainowners, to go through each domain, each cert, and remove any existing * entries from snidomains, and re-add whatever is present.

Interested to try DirectAdmin? Get a 30-day Free Trial!