Submitted by soydemadrid on Tue, 09/13/2016 - 08:26 Pro Licensee
Hi I just wanted to check something as clients have had a few queries with their email accounts connecting to my server.
Email is working great. But initially they receive a warning that the SSL Cert is invalid and doesn't match their domain.
Is there a way to add a dns record to every virtual server so that when it checks mail on the main virtual server mail address it sees the SSL as correct?
I have a comodo purchased SSL. I did try adding a few individual SSLs to virtual servers but then found that Dovecot and Postfix can only have one copied to them. So it is just how I get all the virtual servers checking mail no mail.primarydomain.com to use the SSL without issues?
Thanks for any help or advice on this.
Status:
Active
Comments
Submitted by andreychek on Tue, 09/13/2016 - 09:37 Comment #1
Howdy -- the problem is that unfortunately, Dovecot and Postfix can only have one SSL certificate installed per IP address.
That means that unless a domain has it's own IP address, when they go to check email, they will get that SSL error if they use their own domain for the incoming/outgoing hostname.
To get around that -- users using a domain on a shared IP address may want to connect to your server using the domain name that's in the SSL certificate, rather than their own domain name.
A common way to handle that, is for the server owner to setup an SSL cert for all users to use.. possibly one with the name of their hosting company, if that's what your organization does. And then your users could use the name of your hosting company when connecting to the server. Then, they would be able to connect without the error you're seeing now.
Submitted by soydemadrid on Tue, 09/13/2016 - 11:00 Pro Licensee Comment #2
Hi thanks Eric,
Well I had thought that was what I'd done and that it would work for people. I was just basically trying to copy my cPanel setup and move everything to Virtualmin. Sorry to mention cPanel, I know it is a dirty word! haha - but on that setup users don't connect to imap/smtp with host mail.theirdomain.com but instead use mail.myserverdomain.com - and the SSL I have for myserverdomain.com then works and they don't get any warnings...
On Virtualmin this doesn't seem to work, so I wondered if I'd set it up wrong. I have mail.myserverdomain.com in my dns, I can connect to it for my own email info@myserverdomain.com and don't get the SSL warning as I copied the SSl for that domain to dovecot and postfix, webmin etc.
But as soon as someone from a different Virtual Server checks their mail on that mail.myserverdomain.com address it informs them that the SSL doesn't match their email address so can't be trusted...
Thanks again for any way to iron out this issue. Much appreciated :)
Submitted by andreychek on Tue, 09/13/2016 - 11:35 Comment #3
Could you share a screenshot of the exact error you're receiving?
I haven't seen an email client complain that the SSL cert didn't match the email address before.
However, if the SSL cert isn't setup as "mail.myserverdomain.com", but instead is just "myserverdomain.com" -- you'd want to make sure you're connecting to the hostname "myserverdomain.com".
Submitted by soydemadrid on Tue, 09/13/2016 - 12:58 Pro Licensee Comment #4
Hi you've hit the nail absolutely bang on the head!
I was using mail.myserverdomain.com instead of just myserverdomain.com! Now it is working and no warnings, so the SSL doesn't like the subdomain. Thank you.
How do I set the auto mail config to use the correct address. Currently thunderbird for example just fills in mail.whatever - but it would be great if it auto filled in the working ssl domain.
Thanks again :)
Submitted by andreychek on Tue, 09/13/2016 - 13:56 Comment #5
You can tweak the mail client auto-configuration settings in Virtualmin using Email Messages -> Mail Client Configuration.
Let us know if that does what you want there.
Submitted by soydemadrid on Tue, 09/13/2016 - 14:36 Pro Licensee Comment #6
Bang on as always - thank you :)