Re: [qmailtoaster] Re: how to use ssl for individual domain

Sun, 24 Oct 2021 20:53:22 -0700 

Well smtp on port 25 is not dovecot that’s what I was looking for. 

> Il giorno 24 ott 2021, alle ore 20:40, xaf <[email protected]> ha scritto:
> 
> Remo a écrit le 23/10/2021 à 22:33 :
>> I would be interested too but I see postfix and not qmail Eric do you happen 
>> to have the steps for qmail? 
> 
> As Eric says, it's Dovecot specific.
> My notes in attachment.
> 
> xaf
> 

################################################################################
#                                                                              #
#    Dovecot SSL certificates per domain + MSA                                 #
#                                                                              #
################################################################################

Let's Encrypt SAN certificate per domain, imap.* pop3.* smtp.* with acme.sh
(to adapt for other scripts).

One file per domain, easier for bash scripting.
--------------------------------------------------------------------------------
mkdir /etc/dovecot/domaincerts/

/etc/dovecot/domaincerts/example.org.conf
local_name imap.example.org {
    ssl_cert = </root/.acme.sh/imap.example.org/fullchain.cer
    ssl_key = </root/.acme.sh/imap.example.org/imap.example.org.key
}
local_name pop3.example.org {
    ssl_cert = </root/.acme.sh/imap.example.org/fullchain.cer
    ssl_key = </root/.acme.sh/imap.example.org/imap.example.org.key
}
local_name smtp.example.org {
    ssl_cert = </root/.acme.sh/imap.example.org/fullchain.cer
    ssl_key = </root/.acme.sh/imap.example.org/imap.example.org.key
}

Dovecot settings
--------------------------------------------------------------------------------
/etc/dovecot/toaster.conf
auth_mechanisms = plain login cram-md5
protocols = imap pop3 submission
submission_relay_host = localhost
submission_relay_port = 25
submission_client_workarounds = whitespace-before-path
ssl = required
disable_plaintext_auth = yes
# SSL cert server
ssl_cert = </var/qmail/control/servercert.pem
ssl_key = </var/qmail/control/servercert.pem
# SSL certs per domain
!include_try domaincerts/*.conf
service submission-login {
  inet_listener submission {
    port = 587
  }
  inet_listener submissions {
    port = 465
    ssl = yes
  }
}

Qmail settings
--------------------------------------------------------------------------------
change port from 587 to 588
/var/qmail/supervise/submission/run
change port from 465 to 466
/var/qmail/supervise/smtps/run

restart Qmail then Dovecot.
netstat -tlnp | grep dovecot
110 143 465 587 993 995
netstat -tlnp | grep tcpserver
25 466 588

Host support
--------------------------------------------------------------------------------
Qmail Toaster Ver. 1.03-2.1.qt.el7 SMTP Server

Clients support
--------------------------------------------------------------------------------
Outlook 2019, OK.
Mail IOS 15, OK.
Thunderbird 78, OK.
K-9 Mail 5.8, OK.
Gmail Android 7, OK.
Gmail Android 11, OK.

################################################################################
#                                                                              #
#                        Issues                                                #
#                                                                              #
################################################################################

issue 1 - per domain / per IP conflict
--------------------------------------------------------------------------------
local 192.0.2.10 // per IP
local_name imap.example.org // per domain
If imap.example.org resolve to 192.0.2.10, Dovecot sends a fatal error.
It is better to use only local_name per domain.

issue 2 - Outlook workarounds
--------------------------------------------------------------------------------
remove digest-md5 auth mechanism
add submission_client_workarounds = whitespace-before-path

issue 3 - TLS SNI Client Support missing
--------------------------------------------------------------------------------
For client mail that does not support TLS SNI,
mail settings should use server hostname.

################################################################################
#                                                                              #
#                        Info                                                  #
#                                                                              #
################################################################################

Dovecot SSL configuration
--------------------------------------------------------------------------------
https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/

issue 1 - per domain / per IP conflict
--------------------------------------------------------------------------------
Dovecot log
imap-login: Fatal: Error reading configuration
config: Error: Conflict in setting ssl_cert found

issue 2 - Outlook workarounds
--------------------------------------------------------------------------------
remove digest-md5 mechanism
https://www.google.com/search?gl=us&hl=en&gws_rd=cr&q=digest-md5+outlook

submission_client_workarounds = whitespace-before-path
Dovecot log
command MAIL: 501 reply: Sent: 501 5.5.4 Invalid FROM: Unexpected whitespace 
before path

Dovecot TLS SNI Client Support
--------------------------------------------------------------------------------
https://wiki.dovecot.org/SSL/SNIClientSupport (quite old)

################################################################################

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to