The changes in how SSL Certificates are handled with Dovecot through Virtualmin has caused us a nightmare.
As of this morning (August 12, 2017) none of out clients are able to connect to their E-Mail due to the changes in how SSL Certificates are handled.
We had a SSL Certificate with each of the domains setup within one certificate: so mail.example.com , mail.example.net, etc.
This had worked fine, we realize the changes are for the better but there seems to be no migration path and our Dovecot server has become almost unusable at this time.
We tried wiping out everything in dovecot.conf after the line "!include_try local.conf
then going through each domain to regard its SSL Certificate from Let's Encrypt thinking that the system would re-add them to dovecot.conf as necessary.
However this has so far not been the case.
Please explain the proper procedure to change accordingly as the change to Virtualmin and how it configure Dovecot apparently did not migrate accordingly upon being updated.
HELP!
Comments
Submitted by rsecor on Sat, 08/12/2017 - 11:10 Comment #1
Additionally this new setup will not work with all clients.
See: https://wiki.dovecot.org/SSL/SNIClientSupport
Submitted by rsecor on Sat, 08/12/2017 - 11:25 Comment #2
We were able to restore from a known working backup configuration.
Though we are concerned about the next time we add or change virtual server information, etc.
Submitted by rsecor on Sat, 08/12/2017 - 11:40 Comment #3
It looks like our Dovecot configuration was changed automatically when one or more certificates were renewed automatically.
This caused the configuration to be incorrect and no one could connect without receiving warning messages pertaining to certificates not matching.
Submitted by JamieCameron on Sat, 08/12/2017 - 19:48 Comment #4
Can you explain your original working setup a bit more, and what exactly went wrong?
Did you have a single cert with multiple domain names in it that got replaced?
Submitted by rsecor on Thu, 08/17/2017 - 08:47 Comment #5
A working configuration for us has no "local_name" configuration lines within it.
We have a mail.example.com website setup with aliases for each domain in the Apache configuration of mail.example.net (for each domain we host E-Mail for).
This allowed us to just get a SSL Certificate with mail.example.net (each domain we host E-Mail for) so that they would validate for SSL without any issues.
The change added "local_name" configuration lines for each domain when they went to gather updated SSL Certificates. These updated SSL Certificates were for the websites and did not include mail.example.net (again for each domain we host E-Mail for) so when they were added to the Dovecot configuration it caused E-Mail clients to find a certificate for example.net that did not include mail.example.net.
We have not had the time to sit down and find a successful migration path but are open to suggestions.
Submitted by JamieCameron on Sat, 08/19/2017 - 00:43 Comment #6
Ok, it sounds like you just want to turn off Virtualmin's automatic SSL cert configuration for Dovecot, as you have your own solution. This can be done at System Settings -> Virtualmin Configuration -> SSL settings -> Copy per-IP SSL certificates to Dovecot? .
Submitted by rsecor on Sat, 08/19/2017 - 20:55 Comment #7
Ok we did that ... for now.
We would like to figure out a migration path for the future though.
Any suggestions?
Submitted by JamieCameron on Mon, 08/21/2017 - 01:23 Comment #8
If you want to continue to use your current Dovecot certificate, you can just leave this setting off.