Virtualmin - Let's Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup

8 posts / 0 new
Last post
#1 Fri, 08/25/2017 - 16:54
samrich

Virtualmin - Let's Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup

So, things are getting really confusing around how Multiple domains should be setup with SSL from Let's Encrypt.

My setup:

Single IP Address: 192.123.122.121 <----not actual
OS: CentOS Linux 7.3.1611
Webmin: 1.851
Virtualmin: 6.00
Apache: 2.4.6
Postfix and Dovecot

For the sake of this post we can assume the following:

System Hostname: server3.mydomain.com

Virtual Servers and Alias:

mydomain.net
-> mail.mydomain.net
mydomain.com
-> mail.mydomain.com
one.com
-> mail.one.com
two.com
-> mail.two.com
three.com
-> mail.three.com

DNS is provided by datacenter and is setup correctly.

So, what I have been doing is after the virtual server and alias have been created, I select the virtual server from the dropdown in Virtualmin then:

Server Configuration -> Manage SSL Certificate -> Let's Encrypt

Then under "Request certificate for" I select the "Domain names listed here" and fill in the following:

one.com
www.one.com
mail.one.com

Then I click the "Request Certificate" button. Let's Encrypt gives the certificate and now HTTPS works. So, then I try email and I cannot send messages because of the SSL cert not matching.

So here are my questions:

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should they go under?

3.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

4.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

My goal is to have HTTP traffic all go HTTPS (which is working) and have email both incoming and outgoing over SSL.

Thanks for any help!

Sat, 08/26/2017 - 08:52
Joe
Joe's picture

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

What do you mean by "each domain"? Obviously, you can request certificates for every domain your server hosts, so I guess that's not what you're asking...but, I can't quite figure out what you're trying to accomplish.

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should the go under?

I'd recommend not directing your users to a bunch of different names. Pick a central one for mail, and use that for everyone, no matter what domain they're in. It'll reduce the complexity of your deployment remarkably.

AFAIK, SMTP and IMAPS/POPS have no mechanism for selecting a certificate based on hostname (e.g. they can't have a bunch of certificates...just the one), so yes, any domain name you'll be connecting to SMTP and IMAPS/POPS with will need to have the same certificate that covers all of the names you'll be connecting with.

2.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

Yes. That's how a certificate is installed for use by mail services. Until you click that, you'll be using the default self-signed certificates (which should work, but will generate a warning when you connect and won't have any domain names associated with them except the name of the host).

3.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

Not automatically, no. You could back them up manually before-hand. But, you shouldn't need to. A self-signed certificate has no value...don't worry about replacing it.

--

Check out the forum guidelines!

Mon, 08/28/2017 - 15:53 (Reply to #4)
samrich

Joe,

Thanks for the reply. I missed the reply button to your comment and realized that I had just posted a new comment. Wanted to make sure you saw my new comment on this post.

Mon, 08/28/2017 - 13:26
samrich

Joe,

Thanks for your responses and help. Once I figure this out, I'm going to upload a How To to this forum. Anyways, here's my new comments:

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

Joe: What do you mean by "each domain"? Obviously, you can request certificates for every domain your server hosts, so I guess that's not what you're asking...but, I can't quite figure out what you're trying to accomplish.

Samrich: So I would love to have all of my customers be able to access their mail on secure ports using SSL. Idealy the incoming and outgoing servers for each customer would be mail.customerdomain.com where "customerdomain" their actual domain name. I originally thought "Manage SSL Certificate" would be able to do all of this using Let's Encrypt but that hasn't been the case. HTTP/HTTPS works great but I'm struggling with mail.

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should they go under?

Joe: I'd recommend not directing your users to a bunch of different names. Pick a central one for mail, and use that for everyone, no matter what domain they're in. It'll reduce the complexity of your deployment remarkably.

AFAIK, SMTP and IMAPS/POPS have no mechanism for selecting a certificate based on hostname (e.g. they can't have a bunch of certificates...just the one), so yes, any domain name you'll be connecting to SMTP and IMAPS/POPS with will need to have the same certificate that covers all of the names you'll be connecting with.

Samrich: So your first part above sounds good. So I would have everyone use something like:
Incoming Mail Server: mail3.mydomain.net
Outgoing Mail Server: mail3.mydomain.net
This would be used instead of: mail.customerdomain.com where "customerdomain" is what ever my customer's actual domain name is? Would this cause black list problems as mail for a customer's domain would now be coming from mydomain.net and the sending email account would not match the sending server domain?

So your second part, then how would I go about requesting the SSL certificate from Let's Encrypt with all of the customer domains? Altering my steps in the original post, I would only get an SSL certificate for customerdomain.com and www.customerdomain.com for customer domains and then for the email server mydomain.net account I would add mail.customerdomain.com for each of my customers in the "Domain names listed here" field.

3.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

Joe: Yes. That's how a certificate is installed for use by mail services. Until you click that, you'll be using the default self-signed certificates (which should work, but will generate a warning when you connect and won't have any domain names associated with them except the name of the host).

Samrich: So, I've noticed that in Webmin -> Servers -> Dovecot IMAP/POP3 Server -> Edit Config Files then on about line 104 I see the following list:

local_name mail3.mydomain.net {
  ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
  ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name www.mail3.mydomain.net {
  ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
  ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name www.mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name mail.mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name www.one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name mail.one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name www.two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name mail.two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}
local_name www.three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}
local_name mail.three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}

It looks like Dovecot might be using the individual SSL certificates for each of the domains. Now for Postfix, I do not get the same results. If I press the "Copy to Postfix" button, for virtual server two.com then Postfix uses that SSL certificate for all accounts. Then I get an error message in the mail client (ie: thunderbird, outlook, etc.) that the certificate is for the wrong site.

4.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

Joe: Not automatically, no. You could back them up manually before-hand. But, you shouldn't need to. A self-signed certificate has no value...don't worry about replacing it.

Samrich: Ok.

Fri, 08/30/2019 - 09:04 (Reply to #7)
Gashumba

I would have hoped for an answer to samrich's question because this is the thing that irks the most when it comes to customers' email settings.

Wed, 04/24/2019 - 04:11
Hans

"...for Postfix, I do not get the same results. If I press the "Copy to Postfix" button, for virtual server two.com then Postfix uses that SSL certificate for all accounts. Then I get an error message in the mail client (ie: thunderbird, outlook, etc.) that the certificate is for the wrong site."

I ran into the exact same problem: when I generate an ssl cert for one host and add it to postfix, ALL other virtualmin hosts use this single cert for sending mail, i.e. postfix/smtp via ssl.

Have you been able to solve this, Sam? Cheers

Fri, 05/24/2019 - 13:33
SteveR

Hans, With Postfix I only got this to work for virtual servers if they had separate ip addresses, and you have to manually edit /etc/postfix/master.cf and use server dependent mapping to bind the ip addresses, it is quite a painful process to get it working correctly e.g. in master.cf

1:2:3:4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/home/site1/ssl/ssl.cert -o smtpd_tls_key_file=/home/site1/ssl/ssl.key

port 465

1:2:3:4:smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/home/site1/ssl/ssl.cert -o smtpd_tls_key_file=/home/site1/ssl/ssl.key

It is probably a lot easier to set the mx record to the same single mail server for all virtual hosts, then you just need a cert for a single mail server.

Fri, 05/31/2019 - 15:56
m1ngaa
m1ngaa's picture

Does cPanel or Plesk somehow solve this?

Say you host like 20 domains, for all sorts of clients. And you install different certificates for all of them, and they configure their Outlook, or mail client they get a pop up saying their certificate is invalid etc. I'd really like a solution to this. I've been asking a couple of my clients to enter my domain name when configuring their mail client :(

Thanks guys.