mail_sni for dovecot and exim sni certificates

Version 1.52


This will replace both dovecot_sni and exim_sni, even though the functionality is roughly the same. The dovecot_sni and exim_sni options will be deprecated from the directadmin.conf, and replaced with a single option: mail_sni=0 which is the internal default. To enable it, set: mail_sni=1 and any certificate that is saved, either by pasting it through the SSL page, or created/renewed via LetsEncrypt, will trigger a write. The logic is now such that DA will read the contents of the new certificate, and place all values in the /etc/virtual/snidomains file. If a wildcard is found for the current domain, the values from: letsencrypt_list=www:mail:ftp:pop:smtp will be used to replace the * value. Note: a certificate with multiple wildcards, eg * and * is not yet supported.. but if there is a need, can be changed. (currently just the single wildcard will work correctly) Can also set: mail_sni=OFF in the to override domains that should not have it enabled. Related: When a signed cert and cacert are found, the file is created (similar to with nginx), and then all records in the cert are added to: /etc/virtual/snidomains - for exim to use as a lookup - if a subdomain exists in some other domain, but is also in this cert, the last one added has priority (would be a newer, valid cert anyway) /etc/dovecot/conf/sni/ - with each record in there, pointing to the correct cert. ================ REQUIREMENTS 1) OpenSSL and exim supporting SNI, usually CentOS 6 and higher. 2) Recent dovecot and ./build dovecot_conf, for support of: /etc/dovecot/conf.d/95-sni.conf /etc/dovecot/conf/sni/* 3) CustomBuild 2.0 to install the exim and dovecot configs. ================ INSTALL cd /usr/local/directadmin echo mail_sni=1 >> conf/directadmin.conf service directadmin restart cd custombuild ./build update ./build set eximconf yes ./build set eximconf_release 4.5 ./build set dovecot_conf yes ./build exim_conf ./build dovecot_conf ================ IMPORTANT: DirectAdmin will only accept valid signed certificates. If you use a self-signed certificate, or your own domain does not exist in the certificate, then DA will refuse to accept it, and won't add the values to: /etc/virtual/snidomains and will not create the dovecot sni file at: /etc/dovecot/conf/sni/ If you rename your domain to, for example, the old values are removed from snidomains, and conf/sni/, and are only re-added if the above checks are still true. Currently a certificate is only considered signed using the quick check where the Issuer and Subject values in the certificate must be different. If you have a signed certificate which DA isn't accepting, please let us know, and include the certificate and ca bundle/chain so that we can check it out. ================ TASK QUEUE If you want to tell all live SSL domains to have their dovecot configs written, type; echo "action=rewrite&value=mail_sni" >> /usr/local/directadmin/data/task.queue echo "action=rewrite&value=mail_sni&" >> /usr/local/directadmin/data/task.queue this will recreate the sni/ for each SSL domain, plus one for the system hostname. It will use the /etc/virtual/domainowners, to go through each domain, each cert, and remove any existing * entries from snidomains, and re-add whatever is present.

Interested to try DirectAdmin? Get a 30-day Free Trial!