Re: multi-site SSL certificates
Try add in your nginx "vhost" as the first line: Alias /.well-known/acme-challenge /path/to/acme/.well-known/acme-challenge ProxyPassMatch ^/\.well-known ! I have this same error with ProxyPass inside apache vhost which proxying to node application backend. In letsencrypt logs I have this same what you. 2018-04-02 17:38 GMT+02:00 Alex JOST : > Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson: > >> I'm handling mail for several domains, let's call them a.com, b.com, >> and c.com. I have certificates for each of these domains individually >> via certbot (letsencrypt) and nginx is happy with all of that. >> >> Since I initially configured the site to handle mail only for a.com, >> my /etc/postfix/main.cf file currently has these two lines: >> >> smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem >> smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem >> >> But I see that mail test tools are reporting that MX for b.com and >> c.com are misconfigured due to an SSL name mismatch. Indeed, this is >> true! >> >> So I believe I should generate a multi-site SSL cert. I try this: >> >> sudo certbot certonly --cert-name postfix --webroot \ >>--webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com >> \ >>--webroot-path /var/www/b-com -d www.b.com -d b.com \ >>--webroot-path /var/www/c-com -d www.c.com -d c.com >> >> And that fails with a bunch of errors like this: >> >> Domain: www.a.com >> Type: unauthorized >> Detail: Invalid response from >> http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD >> 9zYpKpdRUBQcgCRJ6FflmZzWQGNg: >> " >> 404 Not Found >> >> 404 Not Found >> " >> >> I see that the file >> >> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6 >> FflmZzWQGNg >> >> is being created (and one other file, too) but that nginx reports that >> the _directory_ >> >> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6 >> FflmZzWQGNg >> >> doesn't exist. >> >> Multi-site + letsencrypt + postfix is a subject that has recently >> changed quite a bit, so I'm suspecting my web reading is merely >> leading me astray. It is also entirely possible I've misunderstood >> things about SSL certificates. Any pointers how to generate (or point >> to) the certificates that I need to make those who contact my postfix >> instance happy with their SSL conversation? >> >> Thanks! >> >> > You can use 1 directory to create certificates for multiple virtual hosts. > Copy the config below to all the virtual host config you want to use in > your certificate (or use 'includes'). > > user@server:~$ cat /etc/nginx/sites-enabled/a-com > server { > [...] > > location ~ /.well-known { > location ~ /.well-known/acme-challenge/(.*) { > root/usr/share/nginx/html; > add_header Content-Type application/jose+json; > } > allow all; > try_files $uri $uri/ =404; > } > } > > > After reloading nginx you can create a new certificate by providing only 1 > webroot directory. > > user@server:~$ sudo certbot certonly --cert-name postfix \ > --webroot -w /usr/share/nginx/html \ > -d www.a.com -d a.com -d mail.a.com \ > -d www.b.com -d b.com \ > -d www.c.com -d c.com > > -- > Alex JOST > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
dovecot lastlogin tracking
Hello, I am trying to get Dovecot 2.3.1 to track lastlogins of users. I'm using a MySQL database. When I log in I am getting this in the error log: 2018-04-02 18:24:21 imap(u...@domain.com)<61855><6R0rDeVodcl/AAAB>: Error: last_login_dict: Failed to write value for user u...@domain.com: dict-server returned failure: sql dict: commit failed: Field 'name' doesn't have a default value (reply took 0.026 secs (0.000 in dict wait, 0.020 in other ioloops, 0.001 in locks, async-id reply 0.000 secs ago, started on dict-server 0.019 secs ago, took 0.005 secs)) Here's an excerpt from my dovecot-dict-sql.conf.ext file: map { pattern = shared/last-login/$username table = accounts username_field = username value_field = lastlogin fields { username = $username } } I've got all users in the accounts table and there is a lastlogin column: describe accounts; +---+--+--+-+-++ | Field | Type | Null | Key | Default | Extra | +---+--+--+-+-++ | id| int(10) unsigned | NO | PRI | NULL| auto_increment | | name | varchar(255) | NO | | NULL|| | username | varchar(64) | NO | MUL | NULL|| | domain| varchar(255) | NO | MUL | NULL|| | password | varchar(255) | NO | | NULL|| | quota | int(10) unsigned | YES | | 0 || | enabled | tinyint(1) | YES | | 0 || | sendonly | tinyint(1) | YES | | 0 || | lastlogin | int(11) unsigned | NO | | 0 || Thanks. Dave. doveconf -n # 2.3.1 (8e2f634): /usr/local/etc/dovecot/dovecot.conf # Pigeonhole version 0.5.1 (d9bc6dfe) # OS: FreeBSD 11.1-RELEASE-p4 amd64 # Hostname: localhost auth_cache_size = 24 M auth_cache_ttl = 18 hours auth_default_realm = example.com auth_mechanisms = plain login auth_realms = example.com example2.com dict { acl = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext lastlogin = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext } first_valid_gid = 999 first_valid_uid = 999 hostname = mail.example.com imap_idle_notify_interval = 10 mins last_valid_gid = 999 last_valid_uid = 999 lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lda_original_recipient_header = X-Original-To listen = 127.0.0.1 xxx.xxx.xxx.xxx log_path = /var/log/dovecot/dovecot.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_access_groups = vmail mail_gid = vmail mail_home = /home/vmail/mailboxes/%d/%n mail_location = maildir:~/mail:LAYOUT=fs mail_plugins = acl mail_log notify quota trash virtual welcome zlib mail_privileged_group = vmail mail_server_admin = mailto:postmas...@example.com mail_uid = vmail mailbox_idle_check_interval = 59 secs managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext spamtest spamtestplus virustest editheader imapflags notify imapsieve vnd.dovecot.imapsieve namespace { location = maildir:/home/vmail/public/:CONTROL=~/mail/public:INDEX=~/mail/public mailbox TestFolder { auto = subscribe comment = Public Folder for message sharing } prefix = Public/ separator = / subscriptions = yes type = public } namespace { list = children location = maildir:/home/vmail/mail/%%d/%%n:LAYOUT=fs:INDEX=/home/vmail/indexes/%d/%n/shared/%%u:INDEXPVT=/home/vmail/indexes/%d/%n/shared/%%u prefix = shared/%%d/%%n/ separator = / subscriptions = no type = shared } namespace inbox { inbox = yes location = mailbox Archives { auto = subscribe special_use = \Archive } mailbox Drafts { auto = subscribe special_use = \Drafts } mailbox Sent { auto = subscribe special_use = \Sent } mailbox Spam { auto = subscribe autoexpunge = 30 days special_use = \Junk } mailbox Trash { auto = subscribe autoexpunge = 30 days special_use = \Trash } mailbox virtual/All { comment = All my messages special_use = \All } prefix = separator = / type = private } namespace virtual { location = virtual:/usr/local/etc/dovecot/virtual:INDEX=~/virtual:CONTROL=~/virtual prefix = virtual/ separator = / } passdb { args = /usr/local/etc/dovecot/dovecot-sql.conf.ext driver = sql } plugin { acl = vfile acl_shared_dict = proxy::acl fts = lucene fts_autoindex = yes fts_autoindex_max_recent_msgs = 80 fts_index_timeout = 90 fts_lucene = whitespace_chars=@. normalize no_snowball imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve imapsieve_mailb
2.3.1 Replication is throwing scary errors
Hi [This is Dovecot 2.3.1 at FreeBSD STABLE-11.1 running in two jails at distinct servers.] I did upgrade from 2.2.35 to 2.3.1 today, and I do become pounded by error messages at server1 (and vice versa at server2) as follows: | Apr 2 17:12:18 server1.lan dovecot: doveadm: Error: dsync(server2.lan): I/O has stalled, \ no activity for 600 seconds (last sent=mail_change, last recv=mail_change (EOL)) | Apr 2 17:12:18 server1.lan dovecot: doveadm: Error: Timeout during state=sync_mails \ (send=changes recv=mail_requests) […] | Apr 2 18:59:03 server1.lan dovecot: doveadm: Error: dsync(server2.lan): I/O has stalled, \ no activity for 600 seconds (last sent=mail, last recv=mail (EOL)) | Apr 2 18:59:03 server1.lan dovecot: doveadm: Error: Timeout during state=sync_mails \ (send=mails recv=recv_last_common) I cannot see in my personal account any missing replications, *but* I haven't tested this thoroughly enough. I do have customers being serviced at these productive servers, *thus* I'm back to 2.2.35 until I do understand or have learned what is going on. Any ideas/feedback? FYI: I haven't seen such errors before. Replication has been working for years now, without any glitches at all. Regards, Michael
Re: Doveadm backup issues on dovecot 2.3.1
> On 02 April 2018 at 19:19 Ricardo Machini Barbosa > wrote: > > > Hello, > > > > After update dovecot from 2.3.0.1 to 2.3.1 the doveadm backup stopped to > work. > > > > Command line: > > doveadm -D backup -u em...@dominio.com.br -R tcp:mailsrv01:9011 > > Can you provide output of doveadm -Dv backup -u em...@dominio.com.br -R tcp:mailsrv01:9011 Aki
Doveadm backup issues on dovecot 2.3.1
Hello, After update dovecot from 2.3.0.1 to 2.3.1 the doveadm backup stopped to work. Command line: doveadm -D backup -u em...@dominio.com.br -R tcp:mailsrv01:9011 I updated dovecot on mailsrv01 to 2.3.1. Process on mailsrv01 (the count message stop and process stay this way until be killed - this occurs on different mailboxs) dovecot/doveadm-server [10.0.10.5 em...@dominio.com.br Cotacao Fornecedores export:6/86] Strace on this process: [pid 15644] epoll_wait(7, {}, 2, 4816) = 0 [pid 15644] epoll_wait(7, {}, 2, 5000) = 0 [pid 15644] close(22) = 0 [pid 15644] munmap(0x7f2927aeb000, 872) = 0 [pid 15644] close(25) = 0 [pid 15644] close(21) = 0 [pid 15644] munmap(0x7f2927aec000, 10744) = 0 [pid 15644] close(20) = 0 [pid 15644] munmap(0x7f2927ad4000, 37540) = 0 [pid 15644] close(23) = 0 [pid 15644] close(19) = 0 [pid 15644] close(11) = 0 [pid 15644] epoll_wait(7, {}, 2, 20174) = 0 Some informations: uname -a Linux mailsrv01 2.6.32-696.23.1.el6.x86_64 #1 SMP Tue Mar 13 22:44:18 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux dovecot --version 2.3.1 (c5a5c0c82) dovecot -n # 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.devel (61b47828) # OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final) # Hostname: mailsrv01 auth_master_user_separator = * auth_verbose_passwords = sha1 default_client_limit = 2000 deliver_log_format = subject=%s from:%f sender:%e to: %{to_envelope} size:%p msgid=%m status=%$ delivery_time=%{delivery_time} session_time=%{session_time} disable_plaintext_auth = no doveadm_allowed_commands = quota get,dsync-server,kick,purge,fts rescan,altmove,mailbox list,expunge,mailbox status doveadm_password = # hidden, use -P to show it lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes lmtp_rcpt_check_quota = yes login_greeting = IMAP4. login_trusted_networks = x.x.x.x/24 mail_fsync = never mail_gid = xxx mail_location = mdbox:~/mdbox:ALT=/altstorage%h/mdbox mail_plugins = quota quota_clone fts fts_solr zlib mail_uid = xxx managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave duplicate vnd.dovecot .filter namespace inbox { inbox = yes list = yes location = mailbox "Itens Enviados" { auto = subscribe special_use = \Sent } mailbox "Itens Excluídos" { auto = subscribe special_use = \Trash } mailbox Rascunhos { auto = subscribe special_use = \Drafts } mailbox Spam { auto = subscribe special_use = \Junk } prefix = separator = . } passdb { args = /etc/dovecot/dovecot-ldap.conf.ext driver = ldap } plugin { fts = solr fts_solr = url=http://x.x.x.x:8983/solr/dovecot/ imapsieve_mailbox1_before = file:/etc/dovecot/antispam/report-spam.sieve imapsieve_mailbox1_causes = COPY imapsieve_mailbox1_name = Spam imapsieve_mailbox2_before = file:/etc/dovecot/antispam/report-ham.sieve imapsieve_mailbox2_causes = COPY imapsieve_mailbox2_from = Spam imapsieve_mailbox2_name = * last_login_dict = redis:host=x.x.x.x:port=6379 quota = count:User quota quota_clone_dict = redis:host=x.x.x.x:port=6379 quota_rule = *:bytes=0 quota_rule2 = Itens Excluídos:storage=+xM quota_vsizes = yes quota_warning = storage=95%% quota-warning 95 %u quota_warning2 = storage=80%% quota-warning 80 %u sieve = ~/.dovecot.sieve sieve_before = /etc/dovecot/sieve/audit.sieve sieve_before2 = /etc/dovecot/sieve/duplicate.sieve sieve_before3 = /etc/dovecot/sieve/spam.sieve sieve_dir = ~/sieve sieve_global_extensions = +vnd.dovecot.pipe sieve_pipe_bin_dir = /etc/dovecot/antispam sieve_plugins = sieve_imapsieve sieve_extprograms sieve_vacation_default_period = 7d sieve_vacation_max_period = 30d sieve_vacation_min_period = 1h } protocols = imap pop3 lmtp sieve service anvil { client_limit = 2000 } service auth { client_limit = 2000 } service doveadm { inet_listener { port = 9011 } inet_listener http { port = 9010 } vsz_limit = 768 M } service imap-login { process_limit = 800 process_min_avail = 200 service_count = 1 vsz_limit = 512 M } service imap-postlogin { executable = script-login dovecot-postlogin imap unix_listener imap-postlogin { user = mail } user = $default_internal_user } service imap { executable = imap imap-postlogin process_limit = 2 vsz_limit = 768 M } service indexer-worker { vsz_limit = 512 M } service lmtp { inet_listener lmtp { address = * port = 24 } vsz_limit = 512 M } service managesieve-login { inet_listener sieve {
Re: multi-site SSL certificates
Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson: I'm handling mail for several domains, let's call them a.com, b.com, and c.com. I have certificates for each of these domains individually via certbot (letsencrypt) and nginx is happy with all of that. Since I initially configured the site to handle mail only for a.com, my /etc/postfix/main.cf file currently has these two lines: smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem But I see that mail test tools are reporting that MX for b.com and c.com are misconfigured due to an SSL name mismatch. Indeed, this is true! So I believe I should generate a multi-site SSL cert. I try this: sudo certbot certonly --cert-name postfix --webroot \ --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \ --webroot-path /var/www/b-com -d www.b.com -d b.com \ --webroot-path /var/www/c-com -d www.c.com -d c.com And that fails with a bunch of errors like this: Domain: www.a.com Type: unauthorized Detail: Invalid response from http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg: " 404 Not Found 404 Not Found " I see that the file .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg is being created (and one other file, too) but that nginx reports that the _directory_ .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg doesn't exist. Multi-site + letsencrypt + postfix is a subject that has recently changed quite a bit, so I'm suspecting my web reading is merely leading me astray. It is also entirely possible I've misunderstood things about SSL certificates. Any pointers how to generate (or point to) the certificates that I need to make those who contact my postfix instance happy with their SSL conversation? Thanks! You can use 1 directory to create certificates for multiple virtual hosts. Copy the config below to all the virtual host config you want to use in your certificate (or use 'includes'). user@server:~$ cat /etc/nginx/sites-enabled/a-com server { [...] location ~ /.well-known { location ~ /.well-known/acme-challenge/(.*) { root/usr/share/nginx/html; add_header Content-Type application/jose+json; } allow all; try_files $uri $uri/ =404; } } After reloading nginx you can create a new certificate by providing only 1 webroot directory. user@server:~$ sudo certbot certonly --cert-name postfix \ --webroot -w /usr/share/nginx/html \ -d www.a.com -d a.com -d mail.a.com \ -d www.b.com -d b.com \ -d www.c.com -d c.com -- Alex JOST
Re: multi-site SSL certificates
On Mon, Apr 02, 2018 at 04:20:05PM +0300, Reio Remma wrote: > On 02.04.18 16:17, Jeff Abrahamson wrote: > > On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote: > > > You have a problem with your nginx config. It doesn't seem > > > related to postfix et al. > > > > > > Really off-topic for this list but you could perhaps post your > > > nginx config and logs. > > If this is more properly a certbot question, I should ask there. I'd > > understood from the certbot docs that postfix had developed a > > postfix-specific certbot plugin, in which case this might have been > > the right venue to ask. That I hadn't found that plugin was, to be > > fair, a bit suspicious to me, but it wouldn't be the first time I miss > > something in front of my nose. > > Hello! Maybe try the Postfix list? Doh, dovecot and postfix aren't actually the same project. This is not my day. You may ignore me, please.
Re: multi-site SSL certificates
On 04/02/2018 03:17 PM, Jeff Abrahamson wrote: > On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote: >> On 04/02/2018 02:25 PM, Jeff Abrahamson wrote: >>> I see that the file >>> >>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg >>> >>> is being created (and one other file, too) but that nginx reports that >>> the _directory_ >>> >>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg >>> >>> doesn't exist. >> You have a problem with your nginx config. It doesn't seem related to >> postfix et al. >> >> Really off-topic for this list but you could perhaps post your nginx config >> and logs. > If this is more properly a certbot question, I should ask there. I'd > understood from the certbot docs that postfix had developed a > postfix-specific certbot plugin, in which case this might have been > the right venue to ask. That I hadn't found that plugin was, to be > fair, a bit suspicious to me, but it wouldn't be the first time I miss > something in front of my nose. You're using the webroot plugin for the challenge. This is as simple as dropping a file and letting nginx serve it as static content (maybe with try_files). The various certbot plugins for postfix and other apps are for automating the certificate installation and tweaking TLS configuration to match certain recommendations. That's not related to your issue here. You're looking at a challenge failure. You're saying that the file is there but nginx is failing to serve it, that should be easy to fix and once it fix the challenge will pass and your certificate will be issued. You can then install it, manually or otherwise.
Re: multi-site SSL certificates
On 02.04.18 16:17, Jeff Abrahamson wrote: On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote: On 04/02/2018 02:25 PM, Jeff Abrahamson wrote: I see that the file .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg is being created (and one other file, too) but that nginx reports that the _directory_ .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg doesn't exist. You have a problem with your nginx config. It doesn't seem related to postfix et al. Really off-topic for this list but you could perhaps post your nginx config and logs. If this is more properly a certbot question, I should ask there. I'd understood from the certbot docs that postfix had developed a postfix-specific certbot plugin, in which case this might have been the right venue to ask. That I hadn't found that plugin was, to be fair, a bit suspicious to me, but it wouldn't be the first time I miss something in front of my nose. Hello! Maybe try the Postfix list? Good luck! Reio
Re: multi-site SSL certificates
On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote: > On 04/02/2018 02:25 PM, Jeff Abrahamson wrote: > > I see that the file > > > > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg > > > > is being created (and one other file, too) but that nginx reports that > > the _directory_ > > > > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg > > > > doesn't exist. > > You have a problem with your nginx config. It doesn't seem related to postfix > et al. > > Really off-topic for this list but you could perhaps post your nginx config > and logs. If this is more properly a certbot question, I should ask there. I'd understood from the certbot docs that postfix had developed a postfix-specific certbot plugin, in which case this might have been the right venue to ask. That I hadn't found that plugin was, to be fair, a bit suspicious to me, but it wouldn't be the first time I miss something in front of my nose.
Re: multi-site SSL certificates
On 04/02/2018 02:25 PM, Jeff Abrahamson wrote: > I see that the file > > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg > > is being created (and one other file, too) but that nginx reports that > the _directory_ > > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg > > doesn't exist. You have a problem with your nginx config. It doesn't seem related to postfix et al. Really off-topic for this list but you could perhaps post your nginx config and logs.
multi-site SSL certificates
I'm handling mail for several domains, let's call them a.com, b.com, and c.com. I have certificates for each of these domains individually via certbot (letsencrypt) and nginx is happy with all of that. Since I initially configured the site to handle mail only for a.com, my /etc/postfix/main.cf file currently has these two lines: smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem But I see that mail test tools are reporting that MX for b.com and c.com are misconfigured due to an SSL name mismatch. Indeed, this is true! So I believe I should generate a multi-site SSL cert. I try this: sudo certbot certonly --cert-name postfix --webroot \ --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \ --webroot-path /var/www/b-com -d www.b.com -d b.com \ --webroot-path /var/www/c-com -d www.c.com -d c.com And that fails with a bunch of errors like this: Domain: www.a.com Type: unauthorized Detail: Invalid response from http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg: " 404 Not Found 404 Not Found " I see that the file .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg is being created (and one other file, too) but that nginx reports that the _directory_ .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg doesn't exist. Multi-site + letsencrypt + postfix is a subject that has recently changed quite a bit, so I'm suspecting my web reading is merely leading me astray. It is also entirely possible I've misunderstood things about SSL certificates. Any pointers how to generate (or point to) the certificates that I need to make those who contact my postfix instance happy with their SSL conversation? Thanks!