1. Home
  2. Symbiosis User Guide
  3. Enabling SNI for Dovecot on Symbiosis

Enabling SNI for Dovecot on Symbiosis

If you use Symbiosis to host email for multiple domains, you’ll want to help your users configure their mail clients to connect. It’s simple to do this for a domain in Dovecot, but you’ll need to do it for each domain you create. Also, you’ll need (just once) to ensure that Dovecot reloads its configuration regularly, so that it will reload its certificates: otherwise you’ll be stuck with the old certificates after they’re renewed.

So, if /etc/cron.daily/reload-dovecot-pureftpd-ssl doesn’t exist, then create it with this command. It’ll also ensure that pure-ftpd server restarts daily.

echo -e '#!/bin/bash\nservice dovecot reload > /dev/null \nservice pure-ftpd restart > /dev/null' | sudo tee /etc/cron.daily/reload-dovecot-pureftpd-ssl

Before following this guide, please ensure you have an SSL certificate in place for each domain. If you are hosting a web site for the domain, Symbiosis will probably have fetched a certificate for you from Let’s Encrypt.

To follow this guide, you will need to be comfortable with the Linux/Unix command line and with editing simple text files. If you’re not, then please contact our support team for help.

What is SNI?

Server Name Indication (SNI) is a TLS mechanism that lets your client tell the server which domain it wants to connect to, so that the server can provide the correct security certificate to the client. It’s widely used for web sites, but less widely implemented in mail servers. It also helps prevent “server name mismatch” errors.

A note on paths

If you’re using Dovecot on another operating system, then the paths to the certificates will be different, and you may want to follow this guide instead.

Configuring Dovecot

Dovecot’s configuration is spread across multiple files stored in the /etc/dovecot/symbiosis.d/ directory. Unlike Exim, you can’t parameterise certificate paths, so we need to add a separate file for each domain in the /etc/dovecot/symbiosis.d/10-main/ directory, naming each file for the domain, eg. for example.com we would create the file:

/etc/dovecot/symbiosis.d/10-main/51-example-com-sni

Important: Don’t use dots in these file names or they will be ignored when the configuration file is built!

The following sections describe how to create, deploy and test your configuration. The instructions will work for both the domain you specify (likeexample.com), and the ‘mail‘  subdomain (mail.example.com). If you use a different subdomain, please amend the script (where it saysmail.$domain) accordingly. For instructions on how to get an SSL certificate for your ‘mail’ subdomain, please click here.

Please note: if you remove a certificate for a domain, you MUST remove the configuration from Dovecot, or Dovecot won’t start.

Alternative approach

Note that there’s an alternative approach suggested by Martin Clayton, which allows you to put your individual domain configurations into snippets inside your /srv/domain/config folder. It has the advantage that you don’t need to keep rebuilding your Dovecot configuration.

We’ve not tested the approach, but you can read about it on our forum at https://forums.bytemark.co.uk/t/dovecot-sni-config-management/3003

If you choose to follow the alternative approach, then you should NOT follow the rest of this guide, though you may find some useful information in it.

Creating your configuration

The following commands create a Dovecot configuration for your main host name Please replace domain=`hostname` with your own domain name eg. domain=example.com (note there are no backticks or quotes here). The rest of the commands can then be run as they appear here, so you could just copy all the rest, and paste it to your command line.

# configure your domain name
domain=`hostname` || echo "  WARNING: failed. Did you try to use backticks?"
dd=`echo $domain | sed s/\\\\./-/g` 
printf "checking domain %s \n and file name %s \n\n" $domain $dd
## we'll perform some basic checks
# is there a domain set?
if [  "f" == "f${domain}" ] ; then printf "  WARNING: \$domain has no value, please specify one\n"; fi
# is the 'domain' actually configured in /srv?
if [ ! -d /srv/${domain} ] ; then printf '\n\n   **WARNING** /srv/${domain} does not exist, or is not a directory. Set your domain before continuing.\n\n';fi
# is there a certificate file?
if [ ! -r /srv/${domain}/config/ssl/current/ssl.crt ] ;then printf '\n\n **WARNING** /srv/${domain} does seem to have a certificate file, try running "symbiosis-ssl" to get one\n\n';fi
if [ ! -r /srv/${domain}/config/ssl/current/ssl.key ] ;then printf '\n\n **WARNING** /srv/${domain} does seem to have a key file, try running "symbiosis-ssl" to get one\n\n';fi

## STOP here: check that you're happy with that domain name 
## before proceeding!
# go to the right directory 
cd /etc/dovecot/symbiosis.d/10-main 
# create the configuration file 
cat << EOF > 55-${dd}-sni
local_name $domain { 
    ssl_cert = < /srv/${domain}/config/ssl/current/ssl.crt 
    ssl_key = < /srv/${domain}/config/ssl/current/ssl.key 
}
local_name mail.$domain { 
    ssl_cert = < /srv/${domain}/config/ssl/current/ssl.crt 
    ssl_key = < /srv/${domain}/config/ssl/current/ssl.key 
} 
EOF

# build a test configuration. This will create dovecot.cnf.tmp 
cd /etc/dovecot 
make test 

# test the configuration, to show the desired cert and key for the domain 
doveconf -c dovecot.conf.tmp -f lname=${domain} ssl_cert ssl_key 

# test that the files actually exist 
doveconf -c dovecot.conf.tmp  -f lname=${domain} ssl_cert ssl_key | cut -d '<' -f2 | xargs ls -l

Deploying your configuration

To build and deploy the configuration, please run the following commands:

cd /etc/dovecot
make
service dovecot reload

Testing it works

Finally, test that the server is providing the right certificate for your domain by running the following commands:

# check that dovecot really is serving the right certificates
(sleep 1; echo . logout) | openssl s_client -connect $domain:imap -starttls imap -servername $domain 2&amp;amp;amp;amp;amp;gt; /dev/null | openssl x509 -noout -subject -dates

Removing a domain

If you remove a domain from Symbiosis (or just the SSL certificate for that domain), then Dovecot may fail to start. So, when removing a certificate, you should also remove the configuration snippet that you added for the domain, and then rebuild the configuration as outlined above.

  1. delete the file that you created at /etc/dovecot/symbiosis.d/10-main/51-example-com-sni
  2. make and deploy the configuration, as above
Updated on November 5, 2019

Was this article helpful?

Related Articles