1. Home
  2. Symbiosis User Guide
  3. Enabling SNI for Dovecot on Symbiosis

Enabling SNI for Dovecot on Symbiosis

If you use Symbiosis to host email for multiple domains, you’ll want to help your users configure their mail clients to connect. It’s simple to do this for a domain in Dovecot, but you’ll need to do it for each domain you create.

Before following this guide, please ensure you have an SSL certificate in place for each domain. If you are hosting a web site for the domain, Symbiosis will probably have fetched a certificate for you from Let’s Encrypt.

To follow this guide, you will need to be comfortable with the Linux/Unix command line and with editing simple text files. If you’re not, then please contact our support team for help.

What is SNI?

Server Name Indication (SNI) is a TLS mechanism that lets your client tell the server which domain it wants to connect to, so that the server can provide the correct security certificate to the client. It’s widely used for web sites, but less widely implemented in mail servers. It also helps prevent “server name mismatch” errors.

A note on paths

If you’re using Dovecot on another operating system, then the paths to the certificates will be different, and you may want to follow this guide instead.

Configuring Dovecot

Dovecot’s configuration is spread across multiple files stored in the /etc/dovecot/symbiosis.d/ directory. Unlike Exim, you can’t parameterise certificate paths, so we need to add a separate file for each domain in the /etc/dovecot/symbiosis.d/10-main/ directory, naming each file for the domain, eg. for example.com we would create the file:

/etc/dovecot/symbiosis.d/10-main/51-example-com-sni

Important: Don’t use dots in these file names or they will be ignored when the configuration file is built!

The following sections describe how to create, deploy and test your configuration. The instructions will work for both the domain you specify (likeexample.com), and the ‘mail‘  subdomain (mail.example.com). If you use a different subdomain, please amend the script (where it saysmail.$domain) accordingly. For instructions on how to get an SSL certificate for your ‘mail’ subdomain, please click here.

Please note: if you remove a certificate for a domain, you MUST remove the configuration from Dovecot, or Dovecot won’t start.

Creating your configuration

The following commands create a Dovecot configuration for your main host name Please replace domain=`hostname` with your own domain name eg. domain=example.com (note there are no backticks or quotes here). The rest of the commands can then be run as they appear here, so you could just copy all the rest, and paste it to your command line.

# configure your domain name
domain=`hostname` || echo "  WARNING: failed. Did you try to use backticks?"
dd=`echo $domain | sed s/\\\\./-/g` 
printf "checking domain %s \n and file name %s \n\n" $domain $dd
## we'll perform some basic checks
# is there a domain set?
if [  "f" == "f${domain}" ] ; then printf "  WARNING: \$domain has no value, please specify one\n"; fi
# is the 'domain' actually configured in /srv?
if [ ! -d /srv/${domain} ] ; then printf '\n\n   **WARNING** /srv/${domain} does not exist, or is not a directory. Set your domain before continuing.\n\n';fi
# is there a certificate file?
if [ ! -r /srv/${domain}/config/ssl/current/ssl.crt ] ;then printf '\n\n **WARNING** /srv/${domain} does seem to have a certificate file, try running "symbiosis-ssl" to get one\n\n';fi
if [ ! -r /srv/${domain}/config/ssl/current/ssl.key ] ;then printf '\n\n **WARNING** /srv/${domain} does seem to have a key file, try running "symbiosis-ssl" to get one\n\n';fi

## STOP here: check that you're happy with that domain name 
## before proceeding!
# go to the right directory 
cd /etc/dovecot/symbiosis.d/10-main 
# create the configuration file 
cat << EOF > 55-${dd}-sni
local_name $domain { 
    ssl_cert = < /srv/${domain}/config/ssl/current/ssl.crt 
    ssl_key = < /srv/${domain}/config/ssl/current/ssl.key 
}
local_name mail.$domain { 
    ssl_cert = < /srv/${domain}/config/ssl/current/ssl.crt 
    ssl_key = < /srv/${domain}/config/ssl/current/ssl.key 
} 
EOF

# build a test configuration. This will create dovecot.cnf.tmp 
cd /etc/dovecot 
make test 

# test the configuration, to show the desired cert and key for the domain 
doveconf -c dovecot.conf.tmp -f lname=${domain} ssl_cert ssl_key 

# test that the files actually exist 
doveconf -c dovecot.conf.tmp  -f lname=${domain} ssl_cert ssl_key | cut -d '<' -f2 | xargs ls -l

Deploying your configuration

To build and deploy the configuration, please run the following commands:

cd /etc/dovecot 
make
service dovecot reload

Testing it works

Finally, test that the server is providing the right certificate for your domain by running the following commands:

# check that dovecot really is serving the right certificates
(sleep 1; echo . logout) | openssl s_client -connect localhost:imap -starttls imap -servername $domain &2>1 | grep subject
Updated on November 8, 2018

Was this article helpful?

Related Articles