Copying SSL to Dovecot for one virtual server changes certificate for all?

I've got numerous virtual servers, some with SSL certs, some without. When I copy the certificate to Dovecot in one virtual server, all the other virtual servers with SSL certificates change their Dovecot certificate settings to the one I've just copied. This creates a problem when trying to receive emails as the email browser errors, saying the certificate is from another site. I'm copying the certificate details by selecting the virtual server then Server Configuration --> Manage SSL Certificate --> Current Certificate | Copy to Dovecot

Any ideas why it changes globally instead of locally?

Comments

Howdy -- unfortunately, Apache is the only service on your system that can have more than one SSL certificate per IP address.

For services such as Dovecot, it only supports one SSL certificate per IP address on your server.

That means that if your domains are sharing an IP address, they'd also need to share an SSL certificate in Webmin, Dovecot, and Usermin.

I have multiple IP addresses. If I set up the cert on a shared IP address then copy to Dovecot it changes it globally (ie to all IP addresses, even those with SSL certs). If I try to copy the Dovecot on a virtual server with it's own IP and certificate, it also changes it globally. Is there another setting somewhere that I've missed?

I'm still having this issue and can't see where the problem lies. For example, I have 3 domains with their own dedicated IP addresses and their own SSL certs (2 x LetsEncrypt 1 x AlphaSSL). When browsing to each site the correct certificate is picked up. However, whichever SSL cert I copy to Dovecot becomes the master and eliminates the others creating issues when collecting mail (ie The last SSL cert copied to Dovecot is read as the certificate for all SSL accounts even those each has their own dedicated IP). Does that help isolate the issue?

Yeah we unfortunately may need Jamie's help on this one, I'm not quite sure what's going on, that does sound like it could be a bug.

Jamie, do you have any thoughts as to what's going on with SSL in this user's setup here?

The "Copy to Dovecot" button will copy the domain's cert to be the default for IMAP connections. However, if you go to System Settings -> Virtualmin Configuration -> SSL settings and change "Copy per-IP SSL certificates to Dovecot?" to "Yes", any domain with SSL and it's own IP will get a separate Dovecot cert for just connections to that IP. Which sounds like what you want...

Thanks Jamie but "Copy per-IP SSL certificates to Dovecot?" is already checked as "Yes". This appears to be a continuation of a bug issue I had in March last year which we were discussing (https://www.virtualmin.com/node/40090). I had to check the "No" button for "Copy per-IP SSL certificates to Postfix?" back then as a quick fix but now that I'm adding SSL certs to the IP dedicated virtual servers, it's becoming problematic.

Would it be possible for you to attach your Dovecot config files to this bug report? It sounds like Virtualmin is setting up the per-IP cert wrongly, and I want to know why ..

The comments pane doesn't appear to let me attach a file. Which Dovecot config files do you want? Just the /etc/dovecot/dovecot.conf one? I could just copy & paste it in if you like.

Can you also attach the relevant config files in /etc/dovecot/conf.d ?

Sorry, didn't see this update. Is this one you want to see? 10-ssl.conf

##
## SSL settings
##

# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
#ssl = yes
ssl = yes

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem

# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =

# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
#ssl_ca =
ssl_ca = </etc/dovecot/dovecot.ca.pem

# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no

# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName

# How often to regenerate the SSL parameters file. Generation is quite CPU
# intensive operation. The value is in hours, 0 disables regeneration
# entirely.
#ssl_parameters_regenerate = 168

# SSL protocols to use
#ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
ssl_cipher_list = ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1
.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

I'm actually looking for whichever file contains the private IP address for the domain.

There is nothing in the /etc/dovecot/conf.d dir containing the private IP? Where would I find the file you're after?

It doesn't sound like per-IP SSL certs are being setup at all if there is no reference to the IP address.

If you enabled SSL for the domain before changing "Copy per-IP SSL certificates to Dovecot?" to "Yes", can you try disabling and then re-enabling SSL for the domain?

No... it's weird. I've had both "Copy per-IP SSL certificates to Dovecot" & "Copy per-IP SSL certificates to Postfix" off and on and turned certs off and on but no change. With both the above "On", Under "Server Configuration/Manage SSL Certificate", if I "Copy to Dovecot" and/or "Copy to Postfix" it appears to work and states "This SSL certificate is already being used by : Dovecot, Postfix". Then I check another domain (with own IP and SSL) and it no longer has the message that the certificate is already being used. So the Copy per IP for both dovecot and postfix don't appear to be working.

Which version of Dovecot are you running there? This feature isn't supported on versions below 2.0.

Version 2.0.9 Would using Let's Encrypt certs on some domains create any issue with this?

No, Let's Encrypt shouldn't cause any problems. However, you do need each domain to have it's own IP address - unlike Apache where multiple SSL sites can share an IP, Dovecot requires that each domain that wants its own SSL cert have it's own IP.

Thanks and yes each of the domains I'm trying to set their own SSL for Dovecot and Postfix have their own IP address and own SSL cert. I've got more domains I need to set up with this too. Still researching this issue but any help still would be great,

I'm mystified as to what is going on here, as it sounds like you have met all the pre-conditions for copying the SSL cert to Dovecot.

Any chance we could login to your system to see what's going wrong?

I have the same problem and didn't find how to solve it. Webmin 1.831 / Virtualmin 5.05 / Dovecot 2.2.22 / Postfix 3.1.0 / 4 IP addresses … Does it has something to do with the SSL settings in webmin configuration (Per-IP certificates) ? I also need help ! Thanks

Thanks Jamie... I think that may be the best at this point... how can I PM you the details?

Ok, I see the bug that causes this now. I have patched it on your system - please try disabling and enabling SSL for one domain, and let me know if that helps.

i'm having that same issue. can you explain your solution?

thanks in advance

It required a code change in Virtualmin to fix - there isn't any simple work-around.

Thanks Jamie but it doesn't appear to have worked. I turned off one of the SSL certificates via Virtualmin/Services/Configure Website for SSL SSL Options and select "No" for "Enable SSL?". Restarted apache and ensured SSL on that domain was not on. Then turned it back on, restarted Apache., went to Virtualmin/Server Configuration/Manage SSL Certificate the hit "Copy to Postix". Went to the other domain and checked, Postfix was no longer being used for that server certificate. Copied to Postfix then checked the previous domain and postfix had been removed. I'll try with another domain with a fresh SSL this evening and let you know if I get any different outcome.

Just tried with a new domain, IP address and SSL cert and the same problem is happening, whichever SSL certificate dovecot or postfix is being copied to overrides the others.

Try not clicking "Copy to Postfix" or "Copy to Dovecot". Those buttons copy it for all IPs, but it should get automatically setup for the domain's private IP as soon as you enable SSL.

OK, I see... thanks, that seems to be creating the right certificate now but unfortunately opened a new can of worms. I set up a new domain with a new IP address with SSL activated and it prevented all other sites with own IPs and SSL activated from receiving any mail. When checking connectivity of other SSL cert virtual servers it came up with SMTP connectivity error. When I turned off SSL for the new domain the error continued. I had to disable SSL on that site in order to get the mail on the other servers running again. Site without SSL enabled were not effected?

Sorry Jamie but that didn't work either... all domains using SSL for SMTP come up with the domain I copied the postfix and dovecot from... how can I remove the default dovecot & postfix from the domain that I've copied those to?

If you check your Postfix config file /etc/postfix/master.cf , is there an entry for the IP address of the domain that you want to have it's own SSL cert for SMTP?

There are no IP addresses referenced in that file at all.

Any more ideas on this? At the moment one SSL cert is coming up for all domains trying to use SSL mail which is getting frustrating.

FYI, support for Dovecot SSL certs even for domains that don't have their own private IP will be in the next Virtualmin release.

Excellent... and I see the postfix IP issues will be fixed too... so, when's the next version due? :)

Couple of days, hopefully.

hello,

because this is very serius issue do we have any news?

servers are almost useless without a solution here.

I believe that should be part of Virtualmin 5.99/6.0.

We've released 5.99 to the repos a few weeks ago, does that Virtualmin version fix that issue for you?

i updated to 5.99 but nothing changed.

and we are talking for 2 different ip so is not postfix or dovecot issue.

Note that if you just upgraded, you will need to disabled and re-enable SSL for the domain for Dovecot to be configured.

u mean that from "edit virtual server" and after "Apache SSL website enabled?"

im sorry to ask in details but im afraid of destroying things...

Yes - it is quite safe to disable and re-enable the SSL feature.