Re: multi-site SSL certificates

2018-04-02 Thread Poliman - Serwis 
Try add in your nginx "vhost" as the first line:
Alias /.well-known/acme-challenge /path/to/acme/.well-known/acme-challenge
ProxyPassMatch ^/\.well-known !

I have this same error with ProxyPass inside apache vhost which proxying to
node application backend. In letsencrypt logs I have this same what you.

2018-04-02 17:38 GMT+02:00 Alex JOST :

> Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:
>
>> I'm handling mail for several domains, let's call them a.com, b.com,
>> and c.com.  I have certificates for each of these domains individually
>> via certbot (letsencrypt) and nginx is happy with all of that.
>>
>> Since I initially configured the site to handle mail only for a.com,
>> my /etc/postfix/main.cf file currently has these two lines:
>>
>>  smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
>>  smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem
>>
>> But I see that mail test tools are reporting that MX for b.com and
>> c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
>> true!
>>
>> So I believe I should generate a multi-site SSL cert.  I try this:
>>
>>  sudo certbot  certonly  --cert-name postfix  --webroot \
>>--webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com
>> \
>>--webroot-path /var/www/b-com -d www.b.com -d b.com \
>>--webroot-path /var/www/c-com -d www.c.com -d c.com
>>
>> And that fails with a bunch of errors like this:
>>
>>  Domain: www.a.com
>>  Type:   unauthorized
>>  Detail: Invalid response from
>>  http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD
>> 9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
>>  "
>>  404 Not Found
>>  
>>  404 Not Found
>>  "
>>
>> I see that the file
>>
>>  .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> is being created (and one other file, too) but that nginx reports that
>> the _directory_
>>
>>  .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6
>> FflmZzWQGNg
>>
>> doesn't exist.
>>
>> Multi-site + letsencrypt + postfix is a subject that has recently
>> changed quite a bit, so I'm suspecting my web reading is merely
>> leading me astray.  It is also entirely possible I've misunderstood
>> things about SSL certificates.  Any pointers how to generate (or point
>> to) the certificates that I need to make those who contact my postfix
>> instance happy with their SSL conversation?
>>
>> Thanks!
>>
>>
> You can use 1 directory to create certificates for multiple virtual hosts.
> Copy the config below to all the virtual host config you want to use in
> your certificate (or use 'includes').
>
> user@server:~$ cat /etc/nginx/sites-enabled/a-com
>   server {
> [...]
>
> location ~ /.well-known {
>   location ~ /.well-known/acme-challenge/(.*) {
> root/usr/share/nginx/html;
> add_header  Content-Type application/jose+json;
>   }
>   allow all;
>   try_files $uri $uri/ =404;
> }
>   }
>
>
> After reloading nginx you can create a new certificate by providing only 1
> webroot directory.
>
> user@server:~$ sudo certbot  certonly  --cert-name postfix \
>   --webroot -w /usr/share/nginx/html \
>   -d www.a.com -d a.com -d mail.a.com \
>   -d www.b.com -d b.com \
>   -d www.c.com -d c.com
>
> --
> Alex JOST
>



-- 

*Pozdrawiam / Best Regards*
*Piotr Bracha*

dovecot lastlogin tracking

2018-04-02 Thread David Mehler 
Hello,

I am trying to get Dovecot 2.3.1 to track lastlogins of users. I'm
using a MySQL database. When I log in I am getting this in the error
log:

2018-04-02 18:24:21 imap(u...@domain.com)<61855><6R0rDeVodcl/AAAB>:
Error: last_login_dict: Failed to write value for user
u...@domain.com: dict-server returned failure: sql dict: commit
failed: Field 'name' doesn't have a default value (reply took 0.026
secs (0.000 in dict wait, 0.020 in other ioloops, 0.001 in locks,
async-id reply 0.000 secs ago, started on dict-server 0.019 secs ago,
took 0.005 secs))

Here's an excerpt from my dovecot-dict-sql.conf.ext file:
map {
  pattern = shared/last-login/$username
  table = accounts
  username_field = username
  value_field = lastlogin
  fields {
username = $username
  }
}



I've got all users in the accounts table and there is a lastlogin column:


describe accounts;
+---+--+--+-+-++
| Field | Type | Null | Key | Default | Extra  |
+---+--+--+-+-++
| id| int(10) unsigned | NO   | PRI | NULL| auto_increment |
| name  | varchar(255) | NO   | | NULL||
| username  | varchar(64)  | NO   | MUL | NULL||
| domain| varchar(255) | NO   | MUL | NULL||
| password  | varchar(255) | NO   | | NULL||
| quota | int(10) unsigned | YES  | | 0   ||
| enabled   | tinyint(1)   | YES  | | 0   ||
| sendonly  | tinyint(1)   | YES  | | 0   ||
| lastlogin | int(11) unsigned | NO   | | 0   ||

Thanks.
Dave.

doveconf -n
# 2.3.1 (8e2f634): /usr/local/etc/dovecot/dovecot.conf
# Pigeonhole version 0.5.1 (d9bc6dfe)
# OS: FreeBSD 11.1-RELEASE-p4 amd64
# Hostname: localhost
auth_cache_size = 24 M
auth_cache_ttl = 18 hours
auth_default_realm = example.com
auth_mechanisms = plain login
auth_realms = example.com example2.com
dict {
  acl = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
  lastlogin = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
  quota = mysql:/usr/local/etc/dovecot/dovecot-dict-sql.conf.ext
}
first_valid_gid = 999
first_valid_uid = 999
hostname = mail.example.com
imap_idle_notify_interval = 10 mins
last_valid_gid = 999
last_valid_uid = 999
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = 127.0.0.1 xxx.xxx.xxx.xxx
log_path = /var/log/dovecot/dovecot.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_access_groups = vmail
mail_gid = vmail
mail_home = /home/vmail/mailboxes/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_plugins = acl mail_log notify quota trash virtual welcome zlib
mail_privileged_group = vmail
mail_server_admin = mailto:postmas...@example.com
mail_uid = vmail
mailbox_idle_check_interval = 59 secs
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate mime foreverypart
extracttext spamtest spamtestplus virustest editheader imapflags
notify imapsieve vnd.dovecot.imapsieve
namespace {
  location = 
maildir:/home/vmail/public/:CONTROL=~/mail/public:INDEX=~/mail/public
  mailbox TestFolder {
auto = subscribe
comment = Public Folder for message sharing
  }
  prefix = Public/
  separator = /
  subscriptions = yes
  type = public
}
namespace {
  list = children
  location = 
maildir:/home/vmail/mail/%%d/%%n:LAYOUT=fs:INDEX=/home/vmail/indexes/%d/%n/shared/%%u:INDEXPVT=/home/vmail/indexes/%d/%n/shared/%%u
  prefix = shared/%%d/%%n/
  separator = /
  subscriptions = no
  type = shared
}
namespace inbox {
  inbox = yes
  location =
  mailbox Archives {
auto = subscribe
special_use = \Archive
  }
  mailbox Drafts {
auto = subscribe
special_use = \Drafts
  }
  mailbox Sent {
auto = subscribe
special_use = \Sent
  }
  mailbox Spam {
auto = subscribe
autoexpunge = 30 days
special_use = \Junk
  }
  mailbox Trash {
auto = subscribe
autoexpunge = 30 days
special_use = \Trash
  }
  mailbox virtual/All {
comment = All my messages
special_use = \All
  }
  prefix =
  separator = /
  type = private
}
namespace virtual {
  location = 
virtual:/usr/local/etc/dovecot/virtual:INDEX=~/virtual:CONTROL=~/virtual
  prefix = virtual/
  separator = /
}
passdb {
  args = /usr/local/etc/dovecot/dovecot-sql.conf.ext
  driver = sql
}
plugin {
  acl = vfile
  acl_shared_dict = proxy::acl
  fts = lucene
  fts_autoindex = yes
  fts_autoindex_max_recent_msgs = 80
  fts_index_timeout = 90
  fts_lucene = whitespace_chars=@. normalize no_snowball
  imapsieve_mailbox1_before = file:/home/vmail/sieve/global/learn-spam.sieve

2.3.1 Replication is throwing scary errors

2018-04-02 Thread Michael Grimm 
Hi

[This is Dovecot 2.3.1 at FreeBSD STABLE-11.1 running in two jails at distinct 
servers.]

I did upgrade from 2.2.35 to 2.3.1 today, and I do become pounded by error 
messages at server1 (and vice versa at server2) as follows:

| Apr  2 17:12:18  server1.lan dovecot: doveadm: Error: 
dsync(server2.lan): I/O has stalled, \
no activity for 600 seconds (last sent=mail_change, last 
recv=mail_change (EOL))
| Apr  2 17:12:18  server1.lan dovecot: doveadm: Error: 
Timeout during state=sync_mails \
(send=changes recv=mail_requests)
[…]
| Apr  2 18:59:03  server1.lan dovecot: doveadm: Error: 
dsync(server2.lan): I/O has stalled, \
no activity for 600 seconds (last sent=mail, last recv=mail 
(EOL))
| Apr  2 18:59:03  server1.lan dovecot: doveadm: Error: 
Timeout during state=sync_mails \
(send=mails recv=recv_last_common)

I cannot see in my personal account any missing replications, *but* I haven't 
tested this thoroughly enough. I do have customers being serviced at these 
productive servers, *thus* I'm back to 2.2.35 until I do understand or have 
learned what is going on. 

Any ideas/feedback? 

FYI: I haven't seen such errors before. Replication has been working for years 
now, without any glitches at all.

Regards,
Michael

Re: Doveadm backup issues on dovecot 2.3.1

2018-04-02 Thread Aki Tuomi 

> On 02 April 2018 at 19:19 Ricardo Machini Barbosa  
> wrote:
> 
> 
> Hello,
> 
>  
> 
> After update dovecot from 2.3.0.1 to 2.3.1 the doveadm backup stopped to
> work.
> 
>  
> 
> Command line:
> 
> doveadm -D backup -u em...@dominio.com.br -R tcp:mailsrv01:9011
> 
>  

Can you provide output of 

doveadm -Dv backup -u em...@dominio.com.br -R tcp:mailsrv01:9011

Aki

Doveadm backup issues on dovecot 2.3.1

2018-04-02 Thread Ricardo Machini Barbosa 
Hello,

 

After update dovecot from 2.3.0.1 to 2.3.1 the doveadm backup stopped to
work.

 

Command line:

doveadm -D backup -u em...@dominio.com.br -R tcp:mailsrv01:9011

 

I updated dovecot on mailsrv01 to 2.3.1.

 

Process on mailsrv01 (the count message stop and process stay this way until
be killed - this occurs on different mailbox’s)

dovecot/doveadm-server [10.0.10.5 em...@dominio.com.br Cotacao Fornecedores
export:6/86]

 

Strace on this process:

[pid 15644] epoll_wait(7, {}, 2, 4816)  = 0

[pid 15644] epoll_wait(7, {}, 2, 5000)  = 0

[pid 15644] close(22)   = 0

[pid 15644] munmap(0x7f2927aeb000, 872) = 0

[pid 15644] close(25)   = 0

[pid 15644] close(21)   = 0

[pid 15644] munmap(0x7f2927aec000, 10744) = 0

[pid 15644] close(20)   = 0

[pid 15644] munmap(0x7f2927ad4000, 37540) = 0

[pid 15644] close(23)   = 0

[pid 15644] close(19)   = 0

[pid 15644] close(11)   = 0

[pid 15644] epoll_wait(7, {}, 2, 20174) = 0

 

Some informations:

uname -a

Linux mailsrv01 2.6.32-696.23.1.el6.x86_64 #1 SMP Tue Mar 13 22:44:18 UTC
2018 x86_64 x86_64 x86_64 GNU/Linux

 

dovecot --version

2.3.1 (c5a5c0c82)

 

dovecot -n

# 2.3.1 (c5a5c0c82): /etc/dovecot/dovecot.conf

# Pigeonhole version 0.5.devel (61b47828)

# OS: Linux 2.6.32-696.23.1.el6.x86_64 x86_64 CentOS release 6.9 (Final)

# Hostname: mailsrv01

auth_master_user_separator = *

auth_verbose_passwords = sha1

default_client_limit = 2000

deliver_log_format = subject=%s from:%f sender:%e to: %{to_envelope} size:%p
msgid=%m status=%$ delivery_time=%{delivery_time}
session_time=%{session_time}

disable_plaintext_auth = no

doveadm_allowed_commands = quota get,dsync-server,kick,purge,fts
rescan,altmove,mailbox list,expunge,mailbox status

doveadm_password =  # hidden, use -P to show it

lda_mailbox_autocreate = yes

lda_mailbox_autosubscribe = yes

lmtp_rcpt_check_quota = yes

login_greeting = IMAP4.

login_trusted_networks = x.x.x.x/24

mail_fsync = never

mail_gid = xxx

mail_location = mdbox:~/mdbox:ALT=/altstorage%h/mdbox

mail_plugins = quota quota_clone fts fts_solr zlib

mail_uid = xxx

managesieve_notify_capability = mailto

managesieve_sieve_capability = fileinto reject envelope encoded-character
vacation subaddress comparator-i;ascii-numeric relational regex imap4flags
copy include variables body enotify environment mailbox date ihave duplicate
vnd.dovecot

.filter

namespace inbox {

  inbox = yes

  list = yes

  location =

  mailbox "Itens Enviados" {

auto = subscribe

special_use = \Sent

  }

  mailbox "Itens Excluídos" {

auto = subscribe

special_use = \Trash

  }

  mailbox Rascunhos {

auto = subscribe

special_use = \Drafts

  }

  mailbox Spam {

auto = subscribe

special_use = \Junk

  }

  prefix =

  separator = .

}

passdb {

  args = /etc/dovecot/dovecot-ldap.conf.ext

  driver = ldap

}

plugin {

  fts = solr

  fts_solr = url=http://x.x.x.x:8983/solr/dovecot/

  imapsieve_mailbox1_before = file:/etc/dovecot/antispam/report-spam.sieve

  imapsieve_mailbox1_causes = COPY

  imapsieve_mailbox1_name = Spam

  imapsieve_mailbox2_before = file:/etc/dovecot/antispam/report-ham.sieve

  imapsieve_mailbox2_causes = COPY

  imapsieve_mailbox2_from = Spam

  imapsieve_mailbox2_name = *

  last_login_dict = redis:host=x.x.x.x:port=6379

  quota = count:User quota

  quota_clone_dict = redis:host=x.x.x.x:port=6379

  quota_rule = *:bytes=0

  quota_rule2 = Itens Excluídos:storage=+xM

  quota_vsizes = yes

  quota_warning = storage=95%% quota-warning 95 %u

  quota_warning2 = storage=80%% quota-warning 80 %u

  sieve = ~/.dovecot.sieve

  sieve_before = /etc/dovecot/sieve/audit.sieve

  sieve_before2 = /etc/dovecot/sieve/duplicate.sieve

  sieve_before3 = /etc/dovecot/sieve/spam.sieve

  sieve_dir = ~/sieve

  sieve_global_extensions = +vnd.dovecot.pipe

  sieve_pipe_bin_dir = /etc/dovecot/antispam

  sieve_plugins = sieve_imapsieve sieve_extprograms

  sieve_vacation_default_period = 7d

  sieve_vacation_max_period = 30d

  sieve_vacation_min_period = 1h

}

protocols = imap pop3 lmtp sieve

service anvil {

  client_limit = 2000

}

service auth {

  client_limit = 2000

}

service doveadm {

  inet_listener {

port = 9011

  }

  inet_listener http {

port = 9010

  }

  vsz_limit = 768 M

}

service imap-login {

  process_limit = 800

  process_min_avail = 200

  service_count = 1

  vsz_limit = 512 M

}

service imap-postlogin {

  executable = script-login dovecot-postlogin imap

  unix_listener imap-postlogin {

user = mail

  }

  user = $default_internal_user

}

service imap {

  executable = imap imap-postlogin

  process_limit = 2

  vsz_limit = 768 M

}

service indexer-worker {

  vsz_limit = 512 M

}

service lmtp {

  inet_listener lmtp {

address = *

port = 24

  }

  vsz_limit = 512 M

}

service managesieve-login {

  inet_listener sieve {

Re: multi-site SSL certificates

2018-04-02 Thread Alex JOST 

Am 02.04.2018 um 14:25 schrieb Jeff Abrahamson:

I'm handling mail for several domains, let's call them a.com, b.com,
and c.com.  I have certificates for each of these domains individually
via certbot (letsencrypt) and nginx is happy with all of that.

Since I initially configured the site to handle mail only for a.com,
my /etc/postfix/main.cf file currently has these two lines:

 smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
 smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem

But I see that mail test tools are reporting that MX for b.com and
c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
true!

So I believe I should generate a multi-site SSL cert.  I try this:

 sudo certbot  certonly  --cert-name postfix  --webroot \
   --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
   --webroot-path /var/www/b-com -d www.b.com -d b.com \
   --webroot-path /var/www/c-com -d www.c.com -d c.com

And that fails with a bunch of errors like this:

 Domain: www.a.com
 Type:   unauthorized
 Detail: Invalid response from
 
http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
 "
 404 Not Found
 
 404 Not Found
 "

I see that the file

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

Multi-site + letsencrypt + postfix is a subject that has recently
changed quite a bit, so I'm suspecting my web reading is merely
leading me astray.  It is also entirely possible I've misunderstood
things about SSL certificates.  Any pointers how to generate (or point
to) the certificates that I need to make those who contact my postfix
instance happy with their SSL conversation?

Thanks!



You can use 1 directory to create certificates for multiple virtual 
hosts. Copy the config below to all the virtual host config you want to 
use in your certificate (or use 'includes').


user@server:~$ cat /etc/nginx/sites-enabled/a-com
  server {
[...]

location ~ /.well-known {
  location ~ /.well-known/acme-challenge/(.*) {
root/usr/share/nginx/html;
add_header  Content-Type application/jose+json;
  }
  allow all;
  try_files $uri $uri/ =404;
}
  }


After reloading nginx you can create a new certificate by providing only 
1 webroot directory.


user@server:~$ sudo certbot  certonly  --cert-name postfix \
  --webroot -w /usr/share/nginx/html \
  -d www.a.com -d a.com -d mail.a.com \
  -d www.b.com -d b.com \
  -d www.c.com -d c.com

--
Alex JOST

Re: multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson 
On Mon, Apr 02, 2018 at 04:20:05PM +0300, Reio Remma wrote:
> On 02.04.18 16:17, Jeff Abrahamson wrote:
> > On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
> > > You have a problem with your nginx config. It doesn't seem
> > > related to postfix et al.
> > > 
> > > Really off-topic for this list but you could perhaps post your
> > > nginx config and logs.
> > If this is more properly a certbot question, I should ask there.  I'd
> > understood from the certbot docs that postfix had developed a
> > postfix-specific certbot plugin, in which case this might have been
> > the right venue to ask.  That I hadn't found that plugin was, to be
> > fair, a bit suspicious to me, but it wouldn't be the first time I miss
> > something in front of my nose.
> 
> Hello! Maybe try the Postfix list?

Doh, dovecot and postfix aren't actually the same project.  This is
not my day.  You may ignore me, please.

Re: multi-site SSL certificates

2018-04-02 Thread Gedalya 
On 04/02/2018 03:17 PM, Jeff Abrahamson wrote:
> On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
>> On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
>>> I see that the file
>>>
>>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>>>
>>> is being created (and one other file, too) but that nginx reports that
>>> the _directory_
>>>
>>> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>>>
>>> doesn't exist.
>> You have a problem with your nginx config. It doesn't seem related to 
>> postfix et al.
>>
>> Really off-topic for this list but you could perhaps post your nginx config 
>> and logs.
> If this is more properly a certbot question, I should ask there.  I'd
> understood from the certbot docs that postfix had developed a
> postfix-specific certbot plugin, in which case this might have been
> the right venue to ask.  That I hadn't found that plugin was, to be
> fair, a bit suspicious to me, but it wouldn't be the first time I miss
> something in front of my nose.


You're using the webroot plugin for the challenge. This is as simple as 
dropping a file and letting nginx serve it as static content (maybe with 
try_files). The various certbot plugins for postfix and other apps are for 
automating the certificate installation and tweaking TLS configuration to match 
certain recommendations. That's not related to your issue here. You're looking 
at a challenge failure. You're saying that the file is there but nginx is 
failing to serve it, that should be easy to fix and once it fix the challenge 
will pass and your certificate will be issued. You can then install it, 
manually or otherwise.

Re: multi-site SSL certificates

2018-04-02 Thread Reio Remma 

On 02.04.18 16:17, Jeff Abrahamson wrote:

On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:

On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:

I see that the file

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

 .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

You have a problem with your nginx config. It doesn't seem related to postfix 
et al.

Really off-topic for this list but you could perhaps post your nginx config and 
logs.

If this is more properly a certbot question, I should ask there.  I'd
understood from the certbot docs that postfix had developed a
postfix-specific certbot plugin, in which case this might have been
the right venue to ask.  That I hadn't found that plugin was, to be
fair, a bit suspicious to me, but it wouldn't be the first time I miss
something in front of my nose.


Hello! Maybe try the Postfix list?

Good luck!
Reio

Re: multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson 
On Mon, Apr 02, 2018 at 02:34:34PM +0200, Gedalya wrote:
> On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
> > I see that the file
> >
> > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> >
> > is being created (and one other file, too) but that nginx reports that
> > the _directory_
> >
> > .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
> >
> > doesn't exist.
> 
> You have a problem with your nginx config. It doesn't seem related to postfix 
> et al.
> 
> Really off-topic for this list but you could perhaps post your nginx config 
> and logs.

If this is more properly a certbot question, I should ask there.  I'd
understood from the certbot docs that postfix had developed a
postfix-specific certbot plugin, in which case this might have been
the right venue to ask.  That I hadn't found that plugin was, to be
fair, a bit suspicious to me, but it wouldn't be the first time I miss
something in front of my nose.

Re: multi-site SSL certificates

2018-04-02 Thread Gedalya 
On 04/02/2018 02:25 PM, Jeff Abrahamson wrote:
> I see that the file
>
> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>
> is being created (and one other file, too) but that nginx reports that
> the _directory_
>
> .well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg
>
> doesn't exist.

You have a problem with your nginx config. It doesn't seem related to postfix 
et al.

Really off-topic for this list but you could perhaps post your nginx config and 
logs.

multi-site SSL certificates

2018-04-02 Thread Jeff Abrahamson 
I'm handling mail for several domains, let's call them a.com, b.com,
and c.com.  I have certificates for each of these domains individually
via certbot (letsencrypt) and nginx is happy with all of that.

Since I initially configured the site to handle mail only for a.com,
my /etc/postfix/main.cf file currently has these two lines:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.a.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.a.com/privkey.pem

But I see that mail test tools are reporting that MX for b.com and
c.com are misconfigured due to an SSL name mismatch.  Indeed, this is
true!

So I believe I should generate a multi-site SSL cert.  I try this:

sudo certbot  certonly  --cert-name postfix  --webroot \
  --webroot-path /var/www/a-com -d www.a.com -d a.com -d mail.a.com \
  --webroot-path /var/www/b-com -d www.b.com -d b.com \
  --webroot-path /var/www/c-com -d www.c.com -d c.com

And that fails with a bunch of errors like this:

Domain: www.a.com
Type:   unauthorized
Detail: Invalid response from

http://www.a.com/.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg:
"
404 Not Found

404 Not Found
"

I see that the file

.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

is being created (and one other file, too) but that nginx reports that
the _directory_

.well-known/acme-challenge/IT7-YURAep4bniD9zYpKpdRUBQcgCRJ6FflmZzWQGNg

doesn't exist.

Multi-site + letsencrypt + postfix is a subject that has recently
changed quite a bit, so I'm suspecting my web reading is merely
leading me astray.  It is also entirely possible I've misunderstood
things about SSL certificates.  Any pointers how to generate (or point
to) the certificates that I need to make those who contact my postfix
instance happy with their SSL conversation?

Thanks!