I have a server with around 190 sites all supposed to be set up fairly consistently after a server migration. Before around a week ago I could use Thunderbird’s auto configuration and instantly setup a new email account. Now it’s not working for outgoing and some clients are complaining about security warnings.
In Thunderbird outgoing is failing every time because it seems to default to the Default website’s certificate.
Example when I run the wizard for domain
@everbuildconstruction.co.za, it finds the settings perfectly, but on every outgoing message I get this:
On the next screen as per screenshot below, when you press “View Certificate”, the certificate of the default website is displayed:
The wrong certificate is showing as below!
So in the example above
mail.everbuildconstruction.co.za is not picking up it’s own outgoing certificate in Thunderbird, instead defaulting to
batman.vander.host which is the server’s default website.
I’m not sure if this is just an auto configuration problem or if something more serious took place. Before the server’s default website was the very first website on the list of sites, but I changed it intentionally to batman.vander.host.
The thing is it appears SSL for outgoing domains are okay, e.g. mail.everbuildconstruction.co.za looks okay I think using this service:
I’m going into a mild panic because I don’t know how prevalent the problem is but the fact that autoconfig is not working is going to be a huge problem for our help desk.
I found a way on the command line to simulate this problem. To me it’s clear that the default website is now replying for all certificates, instead of the domain itself:
openssl s_client -starttls smtp -showcerts -connect mail.donkerhoek.co.za:25 -servername mail.donkerhoek.co.za | grep "CN ="
depth=0 CN = batman.vander.host
verify error:num=18:self signed certificate
depth=0 CN = batman.vander.host
0 s:CN = batman.vander.host
i:CN = batman.vander.host
subject=CN = batman.vander.host
issuer=CN = batman.vander.host
In this example I’m asking for the certificate for
mail.donkerhoek.co.za but instead I’m getting a reply from the main server’s domain
After much googling I have learnt:
Per domain SSL was never supported on Postfix until a few years ago and Virtualmin received this functionality in the last year or so.
This line controls it:
tls_server_sni_maps = hash:/etc/postfix/sni_map
Now all that’s left is to figure out why it’s bring up the first server and not the actual domain.
The server is logging these events
tail -f /var/log/mail.log | grep “TLS SNI”
Mar 28 12:22:57 batman postfix/smtpd: TLS SNI mail.donkerhoek.co.za from localhost[127.0.0.1] not matched, using default chain
/etc/postfix/sni_map has these entries:
I got it working by adding this entry:
The conclusion is
sni_map doesn’t work with wildcards.
If you’re wanting to use
mail.@ then put it in explicitly.
Thanks for the info that solved my similar issues but have you found a way to fix that for new virtual servers created on server ? as Virtualmin in current version still uses wildcard in sni_map file
That was a bug and this is not what latest Virtualmin 6.16 is using. The correct syntax for wildcard is:
ah cool Is there a way easily to force correction of all entries in postfix file ? out of manually editing the sni_map file ?
@vincen I had a similar question but then I noticed a simple text search and replace of
*. to just
. should do the trick. Please double check though and make a backup before you run it.
Thanks but unhappy mine I have double entry for most domains but I don’t have so many so yep guess it’ll finish this way after I check by creating a fake account that it works properly now
Yes, try this Bash script:
doms=`virtualmin list-domains --name-only --no-alias`
for dom in $doms; do
virtualmin install-service-cert --domain $dom --remove-domain --service postfix
virtualmin install-service-cert --domain $dom --add-domain --service postfix
@Ilia Thanks for the script, fixed problem in one time
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.