newspaint

Documenting Problems That Were Difficult To Find The Answer To

Getting LetsEncrypt Working With Exim

LetsEncrypt offers free SSL certificates if you use the tool provided. However the tricky part is validation which expects to be able to open a listening webserver port on your server.

In my case I had put Exim on a virtual server and didn’t want to open access to the outside world for validation purposes.

On Ubuntu 16.04 (Xenial) I installed certbot:

~$ sudo apt-get install software-properties-common
~$ sudo add-apt-repository ppa:certbot/certbot
~$ sudo apt-get update
~$ sudo apt-get install certbot

Then I requested a manual validation for a certificate request:

~$ sudo certbot -d mail01.newspaint.wordpress.com --manual --preferred-challenges dns certonly

This requested I add a TXT record to my domain name server (which you have to do in a separate terminal window because certbot waits for you to complete this before requesting you to hit a key to continue). For example I added the following to my zone file for Bind 9 / named:

_acme-challenge.mail01 TXT ( "483OWAC8DAb5iT7BCBxzZ0Qyqqbzh_PFeWiauprsY3C" )

An easy mistake is to simply add _acme-challenge without the subdomain (mail01) or fully qualifying the domain name without the trailing dot (i.e. _acme-challenge.mail01.newspaint.wordpress.com.). You have to ensure you update the serial number of your zone file and reload it.

The LetsEncrypt generated certificates/keys are placed in /etc/letsencrypt/archive/domain_name/ and the most recent certificate is symlinked from the /etc/letsencrypt/live/domain_name/ directory.

Now add the following to your Exim configuration file:

tls_certificate = /etc/letsencrypt/live/mail01.newspaint.wordpress.com/fullchain.pem
tls_privatekey = /etc/letsencrypt/live/mail01.newspaint.wordpress.com/privkey.pem

It’s very important to examine the default permissions certbot creates for those directories because this affects Exim:

drwxr-xr-x 23 root root 4096 Aug 29 00:55 /
drwxr-xr-x 97 root root 4096 Sep 10 03:34 /etc/
drwxr-xr-x  8 root root 4096 Sep 16 00:11 /etc/letsencrypt/
drwx------  3 root root 4096 May 21 08:29 /etc/letsencrypt/archive/
drwxr-xr-x  2 root root 4096 Jul 20 12:18 /etc/letsencrypt/archive/mail01.newspaint.wordpress.com/
-rw-r--r--  1 root root 3550 May 21 08:29 /etc/letsencrypt/archive/mail01.newspaint.wordpress.com/fullchain1.pem
-rw-r--r--  1 root root 1704 May 21 08:29 /etc/letsencrypt/archive/mail01.newspaint.wordpress.com/privkey1.pem
drwx------  3 root root 4096 May 21 08:29 /etc/letsencrypt/live/
drwxr-xr-x  2 root root 4096 Jul 20 12:18 /etc/letsencrypt/live/mail01.newspaint.wordpress.com/

When Exim runs on Ubuntu it runs as the user Debian-exim. And it doesn’t read the certificate/key until an SMTP connection is made to it – so unlike other daemons that start as root, read SSL certificates, then drop into a less privileged user, Exim doesn’t read the certificate until it needs it when it is already an unprivileged user.

As you can see above there are two directories an ordinary user cannot see:

  • /etc/letsencrypt/archive/
  • /etc/letsencrypt/live/

Both of these must be made visible to the Debian-exim user. Your choices are:

  • chmod 755 /etc/lets/encrypt/{archive,live} #(but that lets anybody read the files)
  • chmod 755 /etc/lets/encrypt/{archive,live}; chgrp Debian-exim /etc/lets/encrypt/{archive,live} #(much better)

If you don’t do this you’ll get the following error from Exim in /var/log/exim4/mainlog:

2017-09-15 23:53:07 TLS error on connection from mail-it0-f44.google.com [209.85.214.44] (cert/key setup: cert=/etc/letsencrypt/live/mail01.newspaint.wordpress.com/fullchain.pem key=/etc/letsencrypt/live/mail01.newspaint.wordpress.com/privkey.pem): Error while reading file.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: