SSL/TLS configuration, EXIM, DMARC.
Posted: December 27th, 2022, 6:41 am
Hello Everyone,
If your mail server using cPanel/WHM : LTS 102.0.26 release...
And your server using CloudLinux Os.
and using MySql Ver 14.14 Distrib 5.7.40, for Linux (x86_64) using EditLine wrapper
Please read!
Recently I've got problems with my mail server, many Outbound emails stuck in the queue:
Then Received message from the cron tabs with subject:
1 service generated warnings while checking SSL certificates.
The following cPanel service generated warnings from the checkallsslcerts script.
⚠ cpanel
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID uvsqx8) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.
Check Manage SSL hosts:
All of my SSL domains will expires soon! Beware with exim mail server!
That's why!
Make sure you read this:
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
I added to : /var/spool/cron/root
and reboot the server after,
Looks like working normally... after all of the service status... including exim status up and running...
As per conversation with cPanel CS Staff, I can remove the cron task as the program, because "checkallsslcerts" is run every time upcp (cPanel upgrade process) runs.
The provided domains are covered by AutoSSL (You need to setup the AutoSSL configuration first!) and they have valid SSL certificates. AutoSSL would start trying to replace the certificate automatically, but it could be the very last day the certificate is valid.
Don't forget to Greylisting=ON within >> WHM >>EMAIL and also add these Sectigo's IP's SSL provider to your firewall allow IP's.
Another issue was... if you have Force Https redirect [ON] in cpanel for that domain, under home >> domain
this would cause issues as well.
So... if you're still having issues with getting certs - you can try to turn off force https redirect and see if the domains get updated.
Also...
Related to DMARC...
Your Websites IP Address Type should be dedicated IP and not shared IP.
So... SNI (Server name Indication) Is not required.
Now mail server working good as normally.
Partial log from /var/log/exim_mainlog...
If your mail server using cPanel/WHM : LTS 102.0.26 release...
Code: Select all
[root@srv8 ~]# cat /usr/local/cpanel/version
11.102.0.26
[root@srv8 ~]#Code: Select all
[root@srv8 ~]# hostnamectl
Static hostname: srv8.jsalfianmarketing.com
Icon name: computer-desktop
Chassis: desktop
Machine ID: 9d9843c00baa42cfb6faxxxf725cdc5e
Boot ID: 51a70c5eda7cxxxafddc8b6d07b8789
Operating System: CloudLinux 7.9 (Boris Yegorov)
CPE OS Name: cpe:/o:cloudlinux:cloudlinux:7.9:GA:server
Kernel: Linux 3.10.0-962.3.2.lve1.5.76.el7.x86_64
Architecture: x86-64
[root@srv8 ~]#Code: Select all
[root@srv8 ~]# mysql -V
mysql Ver 14.14 Distrib 5.7.40, for Linux (x86_64) using EditLine wrapper
[root@srv8 ~]#Recently I've got problems with my mail server, many Outbound emails stuck in the queue:
Code: Select all
[root@srv8 ~]# exim -bp | exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
243 571KB 53m 36m gmail.com
4 8806 36m 36m googlemail.com
---------------------------------------------------------------
247 580KB 53m 36m TOTAL
[root@srv8 ~]#1 service generated warnings while checking SSL certificates.
The following cPanel service generated warnings from the checkallsslcerts script.
⚠ cpanel
The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID uvsqx8) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.
Check Manage SSL hosts:
All of my SSL domains will expires soon! Beware with exim mail server!
That's why!
Code: Select all
[root@srv8 ~]# /usr/local/cpanel/bin/checkallsslcerts
The system will check for the certificate for the “cpanel” service.
The system will attempt to verify that the certificate for the “cpanel” service is still valid using OCSP (Online Certificate Status Protocol).
...
...
… done.
[WARN] The system failed to acquire a signed certificate from the cPanel Store because of the following error: (XID mgzgsk) The cPanel Store returned an error (X::TemporarilyUnavailable) in response to the request “POST ssl/certificate/whm-license/90-day”: We were unable to process your request. Please try again later.
The system will check for the certificate for the “dovecot” service.
The system will attempt to verify that the certificate for the “dovecot” service is still valid using OCSP (Online Certificate Status Protocol).
The “dovecot” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “dovecot” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “dovecot” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “dovecot” service.
The system will check for the certificate for the “exim” service.
The system will attempt to verify that the certificate for the “exim” service is still valid using OCSP (Online Certificate Status Protocol).
The “exim” service’s current certificate comes with the server’s cPanel license. This certificate expires in less than 25 days. The system will attempt to renew and install a new certificate to the “exim” service and any other services that use the old certificate.
The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
[root@srv8 ~]#The system will attempt to install a certificate for the “exim” service from the system ssl storage.
None of the certificates in the system ssl storage were acceptable to use for the “exim” service.
I added to : /var/spool/cron/root
Code: Select all
30 20 * * * /usr/local/cpanel/bin/checkallsslcerts > /dev/null
Looks like working normally... after all of the service status... including exim status up and running...
As per conversation with cPanel CS Staff, I can remove the cron task as the program, because "checkallsslcerts" is run every time upcp (cPanel upgrade process) runs.
The provided domains are covered by AutoSSL (You need to setup the AutoSSL configuration first!) and they have valid SSL certificates. AutoSSL would start trying to replace the certificate automatically, but it could be the very last day the certificate is valid.
Don't forget to Greylisting=ON within >> WHM >>EMAIL and also add these Sectigo's IP's SSL provider to your firewall allow IP's.
Code: Select all
178.255.81.12 # Sectigo's DCV request origin IPs
178.255.81.13 # Sectigo's DCV request origin IPs
91.199.212.132 # Sectigo's DCV request origin IPs
199.66.201.132 # Sectigo's DCV request origin IPsthis would cause issues as well.
So... if you're still having issues with getting certs - you can try to turn off force https redirect and see if the domains get updated.
Also...
Related to DMARC...
Your Websites IP Address Type should be dedicated IP and not shared IP.
So... SNI (Server name Indication) Is not required.
Now mail server working good as normally.
Partial log from /var/log/exim_mainlog...
Code: Select all
2022-12-27 04:58:49 1pA9Xc-000E9q-Me => heavytrafficxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1672145929 z13-20020a056a00240d00b0056be3585c3asi14683701pfh.266 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000E9q-Me Completed
2022-12-27 04:58:49 1pA9Xc-000EA1-Rb => siselxxxt@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1672145929 e5-20020a17090a7c4500b00219bb19bcdfsi17135773pjl.38 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000EA1-Rb Completed
2022-12-27 04:58:49 1pA9Xc-000EA7-U3 => jamesxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1672145929 q64-20020a632a43000000b0044c3ec9ea71si14913624pgq.630 - gsmtp"
2022-12-27 04:58:49 1pA9Xc-000EA7-U3 Completed
2022-12-27 04:58:49 1pA9Xd-000EAH-5L => inlevxxx@gmail.com R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [74.125.195.26] X=TLS1.2:ECDHE-ECDSA-AES128-GCM-SHA256:128 CV=yes C="250 2.0.0 OK 1672145929 f11-20020a17090274cb00b001925d6fdfe3si12051902plt.142 - gsmtp"
2022-12-27 04:58:49 1pA9Xd-000EAH-5L Completed
022-12-27 06:22:03 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2022-12-27 06:23:50 SMTP connection from [127.0.0.1]:54664 (TCP/IP connection count = 1)
2022-12-27 06:23:52 SMTP connection from [127.0.0.1]:54664 closed by QUIT
2022-12-27 06:23:52 SMTP connection from [127.0.0.1]:52120 (TCP/IP connection count = 1)
2022-12-27 06:23:53 SMTP connection from (localhost) [127.0.0.1]:52120 closed by QUIT
2022-12-27 06:27:03 cwd=/etc/csf 2 args: /usr/sbin/exim -bpc
2022-12-27 06:27:18 SMTP connection from [64.62.197.123]:44431 (TCP/IP connection count = 1)
2022-12-27 06:27:22 H=scan-40b.shadowserver.org [64.62.197.123]:44431 rejected connection in "connect" ACL: Host is banned
2022-12-27 06:27:22 SMTP connection from scan-40b.shadowserver.org [64.62.197.123]:44431 closed by DROP in ACL
2022-12-27 06:28:51 SMTP connection from [127.0.0.1]:54686 (TCP/IP connection count = 1)
2022-12-27 06:28:53 SMTP connection from [127.0.0.1]:54686 closed by QUIT
2022-12-27 06:28:53 SMTP connection from [127.0.0.1]:52142 (TCP/IP connection count = 1)
2022-12-27 06:28:54 SMTP connection from (localhost) [127.0.0.1]:52142 closed by QUITCode: Select all
[root@srv8 ~]# exim -bp | exiqsumm
Count Volume Oldest Newest Domain
----- ------ ------ ------ ------
---------------------------------------------------------------
0 0 0m 0000d TOTAL
[root@srv8 ~]#