SSL for Virtual Sites and Mail Server Help Needed

4 posts / 0 new
Last post
#1 Thu, 09/22/2016 - 11:14
applejack

SSL for Virtual Sites and Mail Server Help Needed

Hi

I need some help with setting up SSL certs for virtual sites and the mail server.

Currently the server has a FQDN i.e. server.myserver.com and a virtual site set up myserver.com which has a self signed cert which is being used by Postfix and Dovecot.

I want to abe able to use a genuine cert, potentially from Letsencrypt for Postfix and Dovecot and also for other virtual sites which use the main servers shared IP address.

So the question is how can I do this:-

  1. Change mydomain.com to use Letsencrypt and then add this for Postfix and Dovecot. Do I need to remove the current self signed cert first in Dovecot and Postfix etc ?

Can I use a Letsencrypt cert to do this or would I need / be better using a wildcard cert from elsewhere ?

I am presuming that all clients will then have to change the mail server in their email client to use mail.myserver.com rather than currently mail.clientdomain.com ?

  1. For enabling SSL on other sites using the same main IP addrress. Just enable SSL in Edit server and create a new Letsencrypt cert ?

  2. If a client wishes to continue to use their own domain for the mail server how can this be done ?

Thanks is advance.

Thu, 09/22/2016 - 14:39
just_me

Well,

  1. You don't have to remove your certs from postfix /dovecot first. You can replace them lateron, when you have letsencrypt up and running. Getting a wildcard cert for free is impossible. You would need something like startssl.com and certify yourself in order to get wildcards which run 2 yrs, You have to pay 60 bucks to get certified to create wildcard certs.

2.Postfix / Dovecot only work witn just ONE certificate. Normally you would use a generic domain for mailserver. (this is how all providers work). If a client wants to use his mail.mydomain.com as mailserver, he would need an own mailserver to achieve this. Doesn't make sense at all. So generic is best. Perhaps this could work with a centralized certificate, but i never tried that one.

I will setup today the next server with a central cert for all domains running on that server. I've written a HowTo for this, and it should get you up and running in just some minutes: https://www.virtualmin.com/node/42012

I tried this with an client's certificate (for domain1.com) to put in my postfix /dovecot, but then it claimed to be not the the cert for domain2.com, so the approach in the upper part could work for you.

Best

Fri, 09/23/2016 - 08:20
applejack

Hi Thanks for the reply.

I did read your post you mention before I posted mine but firstly I'm on CentOS 6 and also I didn't fully understand it such as the certbot part when Letsencyrpt is now built into Virtualmin.

An issue I can potentially see with the outline I suggested above about adding the Lets Encrypt cert to Postifx and Dovecot is that is copies them to it and so presumably after it is auto renewed they would need copying again unless I write a script to copy across and run as a cron job or change the path used in Postfix and Dovecot to use the one which will be auto renewed.

Thoughts ?

The other issue which I am not sure of is if I set up the virtual site which is the main servers domain and then copy to Postfix and Dovecot since Letsencrypt isn't a wildcard cert will it then work for mail.myserver.com ?

Re your point about Postfix / Dovecot only work witn just ONE certificate. See this post and in particular andreychek's comment.

https://www.virtualmin.com/comment/744498#comment-744498

Fri, 09/23/2016 - 15:13
just_me

AFAIK the virtualmin implementation does not renew correctly. That's the main reason for me doing it like i outlined before. You can probably use that one also on CentOS, certbot is the new name for letsencrypt, so it is the same. Concerning Erics Post: He outlines, that you need a different IP address, if you want to use more than one certificate for emailserver. So does it make sense if you have 10 virtual hosts to have 10 different IP address just for having a mail.domain.com emailserver? If you think so, go ahead. My people are satisfied with just one generic mailserver domain. It is no hassle to maintan that, because my certbot does this continuously and automatic.

Give it a try and post in that thread of me if it worked or not.

Best

Topic locked