Dovecot SNI SSL Certificates

My understanding is that Virtualmin will set up Dovecot to allow for SSL Certificates for different domains.

The Dovecot Configuration shows many "local_name" directives that appear to connect to the correct SSL Certs and Keys.

However, when I try and connect to any of them only the first certificate in the configuration file shows up.

How would I go about making this work as expected?

On a side note I did some digging and found that instead of:
local_name mail.example.com {
}
local_name imap.example.com {
}

It appears that as long as both use the same SSL Certificate and SSL Key you can actually do:
local_name "mail.example.com imap.example.com" {
}

Status: 
Fixed (pending)

Comments

What command are you testing the connection with? If it's the openssl command, you need to set the -servername flag to specify the hostname for SNI.

Using:
openssl s_client -showcerts -connect mail.example.com:993 -servername mail.example.com

It appears to give the cert for the host itself instead of the one associated with mail.example.com in the config.

I tried the following:

I manually commented out all the local_name directives and found that it still gave out the SSL from the hostname of the server.

I tried enabling only the "local_name mail.example.com" section and OpenSSL shows the right certificate coming out (which has example.com -- and should have mail.example.com within it somewhere). However, Apple Mail does not see it (and I was pretty sure that Apple Mail does SNI).

I haven't had time to check any other clients.

I probably should mention:

Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

Dovecot v2.3.9.2 (cf2918cac).

Removed duplicate message.

# dovecot -n
# 2.3.9.2 (cf2918cac): /etc/dovecot/dovecot.conf
# OS: Linux 4.15.0-20-generic x86_64 Ubuntu 18.04.4 LTS
# Hostname: server.example.com
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
mail_privileged_group = mail
namespace inbox {
  inbox = yes
  location =
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix =
}
passdb {
  driver = pam
}
protocols = " imap pop3"
ssl_ca = </etc/dovecot/dovecot.key.ca
ssl_cert = </etc/dovecot/private/dovecot.pem
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
ssl_client_ca_dir = /etc/ssl/certs
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
userdb {
  driver = passwd
}
local_name server.example.com {
  ssl_cert = </home/server.example.com/ssl.cert
  ssl_key = # hidden, use -P to show it
}
local_name mail.server.example.com {
  ssl_cert = </home/server.example.com/ssl.cert
  ssl_key = # hidden, use -P to show it
}
local_name mail.example.com {
  ssl_cert = </home/example.com/ssl.cert
  ssl_key = # hidden, use -P to show it
}

If you restart Dovecot, does it start successfully?

Yes.
But now I have done so many changes it is not even giving out any SSL Information.

Any suggestions on completely resetting the configs for Dovecot?

I am installing another system just to grab the configs.

I grabbed the base installed configs for Dovecot from a new install.

What would be the correct way to get the SSL certs to show back up in the config for the SNI on the domains?
Answer: Re-ask for the SSL Certificate from Let's Encrypt. That will re-create what is needed in the config.

If you want SNI to work in Dovecot then...
DO NOT click on "Copy to Dovecot" as it adds some items to the Dovecot config.
These two items are "ssl_ca" and "ssl_cipher_list" appear to cause issues for SNI when not encapsulated in a "local_name" directive.

After commenting those two extra back out it seems to give the correct Certificates out based on names given.
However, both Apple Mail Version 13.0 (3608.60.0.2.5) and Microsoft Outlook 2001 (Build 12430.20184) from Microsoft Office Professional Plus 2016 still are not receiving the correct SSL Cert.

Side note: Dovecot restarts fine.

Ilia's picture
Submitted by Ilia on Fri, 02/14/2020 - 04:51

Status:
Active
»
Fixed (pending)

Thanks for the feedback.

There were few patches done in this regard. We expect it to be fixed upon next Virtualmin release.

Ilia's picture
Submitted by Ilia on Fri, 02/14/2020 - 05:23

What would be the correct way to get the SSL certs to show back up in the config for the SNI on the domains? Answer: Re-ask for the SSL Certificate from Let's Encrypt. That will re-create what is needed in the config.

The other work-around would be is to disable and then enable SSL webiste feature under Edit Virtual Server/Enable Features.

I will talk to Jamie, if this can be improved somehow and the check would be run simply on Save Virtual Server or better on Validate Virtual Servers.

I am still not sure why but even though OpenSSL shows the correct certificate when I test it, neither Apple Mail nor Outlook seem to be getting the right one. And I am pretty sure they both support SNI.

Ilia's picture
Submitted by Ilia on Fri, 02/14/2020 - 11:50

Does the certificate include the name you are using to connect to your IMAP (Dovecot) server? Like, imap.mydomain.com, the one you put on Apple Mail or Outlook?

Have you tried other mail programs, like Thunderbird?

Yes, it includes the FQHN... I will check on Thunderbird when I have a moment.