The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel incorrect exim configuration

Discussion in 'E-mail Discussions' started by Tekcor, Oct 16, 2015.

  1. Tekcor

    Tekcor Registered

    Joined:
    Oct 16, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    CT
    cPanel Access Level:
    Root Administrator
    I've been banging my head trying to figure out why Exim and Apache are serving different certification chains when they both point to the exact same files. Apache is correct, Exim is wrong.

    After a while of digging, it turns out that cPanel creates an incorrect Exim config. Specifically:

    tls_verify_certificates = ${if exists {/etc/mail_sni_map} {${extract{cabundle}{${lookup {$tls_sni} lsearch {/etc/mail_sni_map} {$value}}}{$value}{}}} {}}

    This basically sets the tls_verify_certificates to the path of the cabundle for my domain. Sounds good on the surface. But once you read about what tls_verify_certificates actually does, it's obviously wrong:

    42. Encrypted SMTP connections using TLS/SSL
    Basically, tls_verify_certificates is suppose to point to a directory containing certificates that should be accepted by connecting clients. For example, via Apple Mail's "TLS Certificate" setting. It is NOT for the CA Bundle.

    Exim wants the full certificate chain in the tls_certificate config value.

    Is there any way I can fix this without breaking the way cPanel does its job? I'm on WHM 11.50.2 build 0.
     
  2. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hey Tekcor,

    I create a exim.conf.local file and put the following code in this file:

    Code:
    @CONFIG@
    tls_certificate = /etc/exim/cert/$received_ip_address.crt
    tls_privatekey = /etc/exim/cert/$received_ip_address.key
    
    This overwrites the certificate information. I then put each dedicated IP address into the /etc/exim/certs/<ip-address>.crt & <ip-address>.key files.

    Restart exim
    Code:
    /scripts/buildeximconf && /scripts/restartsrv_exim
    This is a manual fix but allows exim to work on SSL/TLS for my dedicated IP customers.

    Thanks,
    Justin
     
  3. Tekcor

    Tekcor Registered

    Joined:
    Oct 16, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    CT
    cPanel Access Level:
    Root Administrator
    That's not a bad idea. Unfortunately it requires manual certificate management, so I'll have to remember to swap in those certificates upon renewal. But it's a smaller amount of work than what I was thinking.
     
  4. imageinabox

    imageinabox Member

    Joined:
    Nov 20, 2013
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Huntsville, AL
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yeah, it takes a little bit of time but a lot quick update than cPanel response time. :D

    If I'm able to hook into the /scripts/build_mail_sni script, then I would be able to make this an auto updater. So whenever you update the SSL within WHM/cPanel, it would update the <ip>.crt and <ip>.key.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Just to clarify, does disabling the "Mail SNI" feature for the domain name make a difference? SNI for mail services is managed at:

    "WHM Home » SSL/TLS » Manage SSL Hosts"

    Thank you.
     
Loading...

Share This Page