Page 1 of 1

SSL/TLS configuration, EXIM, DMARC.

Posted: December 27th, 2022, 6:41 am
by admin
Hello Everyone,

If your mail server using cPanel/WHM : LTS 102.0.26 release...

Code: Select all

[root@srv8 ~]# cat /usr/local/cpanel/version
11.102.0.26
[root@srv8 ~]#
And your server using CloudLinux Os.

Code: Select all

[root@srv8 ~]# hostnamectl
   Static hostname: srv8.jsalfianmarketing.com
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: 9d9843c00baa42cfb6faxxxf725cdc5e
           Boot ID: 51a70c5eda7cxxxafddc8b6d07b8789
  Operating System: CloudLinux 7.9 (Boris Yegorov)
       CPE OS Name: cpe:/o:cloudlinux:cloudlinux:7.9:GA:server
            Kernel: Linux 3.10.0-962.3.2.lve1.5.76.el7.x86_64
      Architecture: x86-64
[root@srv8 ~]#
and using MySql Ver 14.14 Distrib 5.7.40, for Linux (x86_64) using EditLine wrapper

Code: Select all

[root@srv8 ~]# mysql -V
mysql  Ver 14.14 Distrib 5.7.40, for Linux (x86_64) using  EditLine wrapper
[root@srv8 ~]#
Please read!

Recently I've got problems with my mail server, many Outbound emails stuck in the queue:

Code: Select all

[root@srv8 ~]# exim -bp | exiqsumm

Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------

  243   571KB     53m     36m  gmail.com
    4    8806     36m     36m  googlemail.com
---------------------------------------------------------------
  247   580KB     53m     36m  TOTAL

[root@srv8 ~]#
Then Received message from the cron tabs with subject:
1 service generated warnings while checking SSL certificates.

The following cPanel service generated warnings from the checkallsslcerts script.
⚠ cpanel

The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID uvsqx8) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later. 

Check Manage SSL hosts:
All of my SSL domains will expires soon! Beware with exim mail server!
That's why!

Code: Select all

[root@srv8 ~]# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
...
...
… done.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID mgzgsk) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
[root@srv8 ~]#
Make sure you read this:
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.

I added to : /var/spool/cron/root

Code: Select all

30 20 * * * /usr/local/cpanel/bin/checkallsslcerts > /dev/null
and reboot the server after,
Looks like working normally... after all of the service status... including exim status up and running...

As per conversation with cPanel CS Staff, I can remove the cron task as the program, because "checkallsslcerts" is run every time upcp (cPanel upgrade process) runs.
The provided domains are covered by AutoSSL (You need to setup the AutoSSL configuration first!) and they have valid SSL certificates. AutoSSL would start trying to replace the certificate automatically, but it could be the very last day the certificate is valid. 

Don't forget to Greylisting=ON within >> WHM >>EMAIL and also add these Sectigo's IP's SSL provider to your firewall allow IP's.

Code: Select all

178.255.81.12 # Sectigo's DCV request origin IPs
178.255.81.13 # Sectigo's DCV request origin IPs
91.199.212.132 # Sectigo's DCV request origin IPs
199.66.201.132 # Sectigo's DCV request origin IPs
Another issue was... if you have Force Https redirect [ON] in cpanel for that domain, under home >> domain
this would cause issues as well.
So... if you're still having issues with getting certs - you can try to turn off force https redirect and see if the domains get updated.

Also...
Related to DMARC...
Your Websites IP Address Type should be dedicated IP and not shared IP.
So... SNI (Server name Indication) Is not required.

Now mail server working good as normally.
Partial log from /var/log/exim_mainlog...

Code: Select all

2022-12-27 04:58:49 1pA9Xc-000E9q-Me => heavytrafficxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1672145929 z13-20020a056a00240d00b0056be3585c3asi14683701pfh.266 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000E9q-Me Completed
2022-12-27 04:58:49 1pA9Xc-000EA1-Rb => siselxxxt@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1672145929 e5-20020a17090a7c4500b00219bb19bcdfsi17135773pjl.38 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000EA1-Rb Completed
2022-12-27 04:58:49 1pA9Xc-000EA7-U3 => jamesxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1672145929 q64-20020a632a43000000b0044c3ec9ea71si14913624pgq.630 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000EA7-U3 Completed
2022-12-27 04:58:49 1pA9Xd-000EAH-5L => inlevxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK  1672145929 f11-20020a17090274cb00b001925d6fdfe3si12051902plt.142 - gsmtp"
2022-12-27 04:58:49 1pA9Xd-000EAH-5L Completed
022-12-27 06:22:03 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2022-12-27 06:23:50 SMTP connection from [127.0.0.1]:54664 (TCP/IP connection count = 1)
2022-12-27 06:23:52 SMTP connection from [127.0.0.1]:54664 closed by QUIT
2022-12-27 06:23:52 SMTP connection from [127.0.0.1]:52120 (TCP/IP connection count = 1)
2022-12-27 06:23:53 SMTP connection from (localhost) [127.0.0.1]:52120 closed by QUIT
2022-12-27 06:27:03 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2022-12-27 06:27:18 SMTP connection from [64.62.197.123]:44431 (TCP/IP connection count = 1)
2022-12-27 06:27:22 H=scan-40b.shadowserver.org [64.62.197.123]:44431 rejected connection in "connect" ACL: Host is banned
2022-12-27 06:27:22 SMTP connection from scan-40b.shadowserver.org [64.62.197.123]:44431 closed by DROP in ACL
2022-12-27 06:28:51 SMTP connection from [127.0.0.1]:54686 (TCP/IP connection count = 1)
2022-12-27 06:28:53 SMTP connection from [127.0.0.1]:54686 closed by QUIT
2022-12-27 06:28:53 SMTP connection from [127.0.0.1]:52142 (TCP/IP connection count = 1)
2022-12-27 06:28:54 SMTP connection from (localhost) [127.0.0.1]:52142 closed by QUIT

Code: Select all

[root@srv8 ~]# exim -bp | exiqsumm

Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------

---------------------------------------------------------------
    0       0      0m   0000d  TOTAL

[root@srv8 ~]#