[LetsEncrypt] Certificate only encrypting for a single domain's SMTP (Postfix).

6 posts / 0 new
Last post
#1 Tue, 04/04/2017 - 09:59
Kivylius
Kivylius's picture

[LetsEncrypt] Certificate only encrypting for a single domain's SMTP (Postfix).

Hi all, I'm having a bit of problem settings up SMTP for mail. My cert (LetsEncrypt) is issued for main.tld and mail.main.tld. Now this works fine for main.tld mail but my other domains, e.g other.tld is unencrypted! I attempted to issue a cert for other.tld & mail.other.tld and copy it over to postfix, devecot and it overwritten the original making it only encrypted for other.tld mail, so I reverted back to main.tld cert and copied that over to fix the issue. This error occurs upon adding a mail account on Thunderbird, here a picture:

Note I made one small change in the Autoconfig file and that setting socket to SSL, as it was unencrypted by default even after installing the certificate. Autoconfig -> Thunderbird set the <socketType> to $SMTP_SSL.

Do I have to change the MX manually for each domain to mail.main.tld ? Will the autoconfig (Thunderbird, Outlook) pick that up automatically?

What the best approach for this? I want all my mail to by encrypted for all domain and the autoconfig to reflect that.

Thanks

Tue, 04/04/2017 - 11:56
unborn
unborn's picture

hi, you know for the fact you can use https of mail.maindomain.com for any other domain? also https does not give you any encryption of email.. its just transfer. For pure encryption you should use gpg.

Configuring/troubleshooting Debian servers is always great fun

Contact me directly ? GPG/PGP supported!

Wed, 04/05/2017 - 10:20
Kivylius
Kivylius's picture

Sorry, I was referring to transfer encryption (SMTPS). Yes am aware now, I was able to change the default mail server System Settings => Server Templates => Bind DNS => Hostname for MX record and set that to mail.maindomain.com, however I still needed to change the Mail AutoConfig files (outlook & thunderbird) from $stmp/imap_host imap.maindomain.com & smtp.maindomain.com, otherwise the mail.domain.tld is used.

Wed, 04/05/2017 - 12:12
unborn
unborn's picture

mail.domain.com on both for imap and smtp or IN and OUT should works and there should not be imap.domain.com nor smtp.domain.com

Configuring/troubleshooting Debian servers is always great fun

Contact me directly ? GPG/PGP supported!

Thu, 04/06/2017 - 05:43
mt

As far as I know that's not possible out of the box in Virtualmin. I'm only using a single domain and have a seperate cert for that.

Dovecot supports SNI but Postfix does not. But SNI only helps you if you connect the client directly over the SSL ports 995,993,465.

What can you do? Use something like acme.sh und build an Cert with a subjAltName from all your domains. You have to somehow hook this into domain creation / deletion and you basically have a limit of 100 aliases - if you have mail.domain, pop3.domain, smtp.domain and so on, your down to far less.

I'd say go for mail.. and use that for all domains. If you need per domain certificates use a single one with subjAltname and go for mail.. to have up to 100 domains.

Thu, 04/20/2017 - 03:44
Kivylius
Kivylius's picture

Well I got it working with SNI. I setup my master domain (main.tld) with normal Let's Encrypt and then in Server Configuration -> Website Options Set the Website Matches all subdomain to yes. This allowed my to now add mail.main.tld and imap.main.tld, smtp.main.tld as SNI's and then copy over to postfix, devcot.

I connect true SSL for imap and starttls for smtp and it seems like its working? Now for other domains mx is5 mail.main.tld, and when getting/sending mail, the autoconfig has imap.main.tld, smtp.mail.tld, on other domain and allows smtps email. This is how order mail server I have used before work, even google mail.

Yes it works, but is there any way to make sure its correct? and correct for VirtualMin configuration too?