cPanel incorrect exim configuration
I've been banging my head trying to figure out why Exim and Apache are serving different certification chains when they both point to the exact same files. Apache is correct, Exim is wrong.
After a while of digging, it turns out that cPanel creates an incorrect Exim config. Specifically:
tls_verify_certificates = ${if exists {/etc/mail_sni_map} {${extract{cabundle}{${lookup {$tls_sni} lsearch {/etc/mail_sni_map} {$value}}}{$value}{}}} {}}
This basically sets the tls_verify_certificates to the path of the cabundle for my domain. Sounds good on the surface. But once you read about what tls_verify_certificates actually does, it's obviously wrong:
42. Encrypted SMTP connections using TLS/SSL
The difference between tls_verify_hosts and tls_try_verify_hosts is what happens if the client does not supply a certificate, or if the certificate does not match any of the certificates in the collection named by tls_verify_certificates.
Basically, tls_verify_certificates is suppose to point to a directory containing certificates that should be accepted by connecting clients. For example, via Apple Mail's "TLS Certificate" setting. It is NOT for the CA Bundle. Exim wants the full certificate chain in the tls_certificate config value. Is there any way I can fix this without breaking the way cPanel does its job? I'm on WHM 11.50.2 build 0.
Basically, tls_verify_certificates is suppose to point to a directory containing certificates that should be accepted by connecting clients. For example, via Apple Mail's "TLS Certificate" setting. It is NOT for the CA Bundle. Exim wants the full certificate chain in the tls_certificate config value. Is there any way I can fix this without breaking the way cPanel does its job? I'm on WHM 11.50.2 build 0.
-
Hey Tekcor, I create a exim.conf.local file and put the following code in this file: @CONFIG@ tls_certificate = /etc/exim/cert/$received_ip_address.crt tls_privatekey = /etc/exim/cert/$received_ip_address.key
This overwrites the certificate information. I then put each dedicated IP address into the /etc/exim/certs/.crt & .key files. Restart exim/scripts/buildeximconf && /scripts/restartsrv_exim
This is a manual fix but allows exim to work on SSL/TLS for my dedicated IP customers. Thanks, Justin0 -
That's not a bad idea. Unfortunately it requires manual certificate management, so I'll have to remember to swap in those certificates upon renewal. But it's a smaller amount of work than what I was thinking. 0 -
That's not a bad idea. Unfortunately it requires manual certificate management, so I'll have to remember to swap in those certificates upon renewal. But it's a smaller amount of work than what I was thinking.
Yeah, it takes a little bit of time but a lot quick update than cPanel response time. :D If I'm able to hook into the /scripts/build_mail_sni script, then I would be able to make this an auto updater. So whenever you update the SSL within WHM/cPanel, it would update the .crt and .key.0 -
Hello :) Just to clarify, does disabling the "Mail SNI" feature for the domain name make a difference? SNI for mail services is managed at: "WHM Home " SSL/TLS " Manage SSL Hosts" Thank you. 0
Please sign in to leave a comment.
Comments
4 comments