Using SSL cert of webserver's dedicated IP address for devcot and postfix ?

Hi Jamie, Hi Joe,

One quick question, I didn't look into devcot and postfix yet, if that is even possible, however we regularly receive complaints from customers with web-ssl cert that their mail-servers don't have their certs. We added a generic web-server cert for server's default domain, and ask customers to change the mail-server address, but it would be nice to be able to continue to use the dedicated IP address with mail.customerdomain.com as mail server and that one to automatically also have the webserver's cert for POP3/IMAP(S)/SMTP(S) services, instead/in addition of that new feature:

Changes in virtual-server since 3.74 The Manage SSL Certificate page can now be used to copy a domain's cert and key to Dovecot or Postfix.

Means that depending on IP address on which devcot or postfix is reached to, they would use the corresponding existing virtual server's IP address's certificate (if possible the webserver's one, to avoid copy-pasting text or copying files.

Not urgent, but would avoid 1 ticket per SSL cert install and look more pro with customers... ;-)

Even possible at all ?

Status: 
Active

Comments

Actually, a customer said with lots of sense that same should apply to the webmail too:

Therefore same should apply (and that is possible for sure!) to Usermin and to Webmin as well !

e.g. accessing

https:/userssslcertifieddomainondedicatedipaddress.com:10000/

or :20000

should use the web-certificate for that IP address and not the standard main certificate.

That request is a little more priority than the above one.

Howdy -- unfortunately, what you're after would require a change in the respective daemons you're asking about.

In general, Dovecot/Postfix/Usermin/etc can only have one SSL Certificate per installation.

So there isn't a way to get them to use different SSL certs for different IP addresses.

You can, however, use something like a UCC certificate (which allows multiple domains in one certificate), or a wildcard sub-domain cert, and install that into the above daemons.

That's a reason to make it so that whenever your users go to, say, webmail.their_domain.com, that you setup Virtualmin to redirect them to a central install of Usermin which you've setup a valid SSL cert for.

The same with admin.their_domain.com -- redirect that to your domain name.

Some folks also setup a valid ssl cert at secure.domain.com -- and tell their customers to use that for email/imap/etc, so that the SSL works correctly for them.

Thanks for the answer.

However we use 1 cert per domain and each with a dedicated secondary IP address, so don't need multi-domain certs. Multidomain or wildcard certs are not an option on shared hosting like in that case, with different customers on the different IPs.

Regarding Devcot a quick search gave this hint from 2006 at supporting one cert per IP address: http://www.dovecot.org/list/dovecot/2006-October/017201.html

and for Postfix it can be done too (quick search too): http://www.irbs.net/internet/postfix/0305/1265.html

Another solution would be using an internal ssl proxy listening on the IP address and port with that cert and redirecting to the standard port.

I didn't try the above.

Regarding Usermin and Webmin, there is no redirection taking place in the browser url, so the 10000 and 20000 ports are indeed reached using the extra (dedicated) IP address, and not the default server one, so using the correct cert already set-up for the corresponding webserver should be "easy".

Yeah, the Dovecot instructions above are just for running a separate daemon for each SSL certificate in question -- which would indeed work, but requires more resources, multiple configs, and is a bit of an administrative headache :-)

So, you can certainly configure that on your own (aka, manually outside of Virtualmin), though I'm not sure that idea will work it's way into a Virtualmin supported setup (though I'll pass this along to Jamie just to make sure).

The Postfix/SSL setup they offered is an interesting one and is much more manageable. Though I'm not sure that's much use without an equally good Dovecot setup :-)

Passing this along to Jamie for further comment...

I'm avoiding things outside virtualmin, that's just programing for future trouble...

Thanks for forwarding to Jamie.

Still think the small proxy / port forwarder with SSL could also be a simple solution.

Let's see what Jamie thinks :)

You can actually setup Webmin and Usermin to use different certs for different IPs - this can be done at Webmin -> Webmin Configuration -> SSL Encryption -> Per-IP certificates.

There is a similar page in the Usermin Configuration module.

Does that help?

Thanks Jamie, Discovered another nice set of features...cool.

However, in our case, It helps only little in both usermin and in webmin, as our certificates require an intermediate CA certificate file, which setting is missing from that UI. Or did I again miss something ? ;-)

Actually, I really don't see a reason to have 3 different settings for certs (website, webmin, usermin) on a dedicated IP as the domain name is in 99.9% of the name unique for that IP, and in other cases you would use multi-domains certs or wildcard certs.

Also the nice new "Copy to Usermin" and "Copy to Webmin" buttons could copy the web-cert directly into the right IP address, if the webserver SSL cert being edited is not for the main IP address ?

Maybe that could happen automatically too, when setting up a new web-server cert ?

I guess the usermin setting doesn't setup Devcot/Postfix's IP-specific certs ?

Joe's picture
Submitted by Joe on Fri, 11/20/2009 - 14:07 Pro Licensee

Webmin does support chained certificates. The last option in the SSL Encryption configuration page is labeled "Additional certificate files (for chained certificates)", which is where you put the chain cert bundle path.