Default website for IP address interfering with Autodiscover / Autoconfig for Thunderbird and Outlook Configuration for SMTP Certificate?

Ubuntu 20.04

I have a server with around 190 sites all supposed to be set up fairly consistently after a server migration. Before around a week ago I could use Thunderbird’s auto configuration and instantly setup a new email account. Now it’s not working for outgoing and some clients are complaining about security warnings.

In Thunderbird outgoing is failing every time because it seems to default to the Default website’s certificate.

Example when I run the wizard for domain @everbuildconstruction.co.za, it finds the settings perfectly, but on every outgoing message I get this:

image

On the next screen as per screenshot below, when you press “View Certificate”, the certificate of the default website is displayed:

image

The wrong certificate is showing as below!

image

So in the example above mail.everbuildconstruction.co.za is not picking up it’s own outgoing certificate in Thunderbird, instead defaulting to batman.vander.host which is the server’s default website.

I’m not sure if this is just an auto configuration problem or if something more serious took place. Before the server’s default website was the very first website on the list of sites, but I changed it intentionally to batman.vander.host.

The thing is it appears SSL for outgoing domains are okay, e.g. mail.everbuildconstruction.co.za looks okay I think using this service:

https://www.sslshopper.com/ssl-checker.html#hostname=mail.everbuildconstruction.co.za

I’m going into a mild panic because I don’t know how prevalent the problem is but the fact that autoconfig is not working is going to be a huge problem for our help desk.

I found a way on the command line to simulate this problem. To me it’s clear that the default website is now replying for all certificates, instead of the domain itself:

openssl s_client -starttls smtp -showcerts -connect mail.donkerhoek.co.za:25 -servername mail.donkerhoek.co.za | grep "CN ="
depth=0 CN = batman.vander.host
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = batman.vander.host
verify return:1
250 CHUNKING
 0 s:CN = batman.vander.host
   i:CN = batman.vander.host
subject=CN = batman.vander.host
issuer=CN = batman.vander.host

In this example I’m asking for the certificate for mail.donkerhoek.co.za but instead I’m getting a reply from the main server’s domain batman.vander.host

Any clues?

EDIT

After much googling I have learnt:

  1. Per domain SSL was never supported on Postfix until a few years ago and Virtualmin received this functionality in the last year or so.

  2. This line controls it:

cat /etc/postfix/main.cf
tls_server_sni_maps = hash:/etc/postfix/sni_map

Now all that’s left is to figure out why it’s bring up the first server and not the actual domain.

Related links:

EDIT

The server is logging these events

tail -f /var/log/mail.log | grep “TLS SNI”
Mar 28 12:22:57 batman postfix/smtpd[4062199]: TLS SNI mail.donkerhoek.co.za from localhost[127.0.0.1] not matched, using default chain

SOLUTION

/etc/postfix/sni_map has these entries:

donkerhoek.co.za        /home/donkerhoek/ssl.key,/home/donkerhoek/ssl.cert,/home/donkerhoek/ssl.ca
*.donkerhoek.co.za      /home/donkerhoek/ssl.key,/home/donkerhoek/ssl.cert,/home/donkerhoek/ssl.ca

I got it working by adding this entry:

mail.donkerhoek.co.za   /home/donkerhoek/ssl.key,/home/donkerhoek/ssl.cert,/home/donkerhoek/ssl.ca

The conclusion is sni_map doesn’t work with wildcards.

If you’re wanting to use mail.@ then put it in explicitly.

Thanks for the info that solved my similar issues but have you found a way to fix that for new virtual servers created on server ? as Virtualmin in current version still uses wildcard in sni_map file :frowning:

That was a bug and this is not what latest Virtualmin 6.16 is using. The correct syntax for wildcard is:

.donkerhoek.co.za      /home/donkerhoek/ssl.key,/home/donkerhoek/ssl.cert,/home/donkerhoek/ssl.ca

ah cool :wink: Is there a way easily to force correction of all entries in postfix file ? out of manually editing the sni_map file ?

@vincen I had a similar question but then I noticed a simple text search and replace of *. to just . should do the trick. Please double check though and make a backup before you run it.

1 Like

Thanks but unhappy mine I have double entry for most domains :frowning: but I don’t have so many so yep guess it’ll finish this way after I check by creating a fake account that it works properly now :wink:

Yes, try this Bash script:

#!/bin/sh
doms=`virtualmin list-domains --name-only --no-alias`
for dom in $doms; do
        virtualmin install-service-cert --domain $dom --remove-domain --service postfix
        virtualmin install-service-cert --domain $dom --add-domain --service postfix
done
2 Likes

@Ilia Thanks for the script, fixed problem in one time :+1: