Virtualmin - Let's Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup

12 posts / 0 new
Last post
#1 Fri, 08/25/2017 - 16:54
samrich

Virtualmin - Let's Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup

So, things are getting really confusing around how Multiple domains should be setup with SSL from Let's Encrypt.

My setup:

Single IP Address: 192.123.122.121 <----not actual
OS: CentOS Linux 7.3.1611
Webmin: 1.851
Virtualmin: 6.00
Apache: 2.4.6
Postfix and Dovecot

For the sake of this post we can assume the following:

System Hostname: server3.mydomain.com

Virtual Servers and Alias:

mydomain.net
-> mail.mydomain.net
mydomain.com
-> mail.mydomain.com
one.com
-> mail.one.com
two.com
-> mail.two.com
three.com
-> mail.three.com

DNS is provided by datacenter and is setup correctly.

So, what I have been doing is after the virtual server and alias have been created, I select the virtual server from the dropdown in Virtualmin then:

Server Configuration -> Manage SSL Certificate -> Let's Encrypt

Then under "Request certificate for" I select the "Domain names listed here" and fill in the following:

one.com
www.one.com
mail.one.com

Then I click the "Request Certificate" button. Let's Encrypt gives the certificate and now HTTPS works. So, then I try email and I cannot send messages because of the SSL cert not matching.

So here are my questions:

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should they go under?

3.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

4.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

My goal is to have HTTP traffic all go HTTPS (which is working) and have email both incoming and outgoing over SSL.

Thanks for any help!

Sat, 08/26/2017 - 08:52
Joe
Joe's picture

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

What do you mean by "each domain"? Obviously, you can request certificates for every domain your server hosts, so I guess that's not what you're asking...but, I can't quite figure out what you're trying to accomplish.

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should the go under?

I'd recommend not directing your users to a bunch of different names. Pick a central one for mail, and use that for everyone, no matter what domain they're in. It'll reduce the complexity of your deployment remarkably.

AFAIK, SMTP and IMAPS/POPS have no mechanism for selecting a certificate based on hostname (e.g. they can't have a bunch of certificates...just the one), so yes, any domain name you'll be connecting to SMTP and IMAPS/POPS with will need to have the same certificate that covers all of the names you'll be connecting with.

2.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

Yes. That's how a certificate is installed for use by mail services. Until you click that, you'll be using the default self-signed certificates (which should work, but will generate a warning when you connect and won't have any domain names associated with them except the name of the host).

3.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

Not automatically, no. You could back them up manually before-hand. But, you shouldn't need to. A self-signed certificate has no value...don't worry about replacing it.

--

Check out the forum guidelines!

Mon, 08/28/2017 - 15:53 (Reply to #4)
samrich

Joe,

Thanks for the reply. I missed the reply button to your comment and realized that I had just posted a new comment. Wanted to make sure you saw my new comment on this post.

Mon, 08/28/2017 - 13:26
samrich

Joe,

Thanks for your responses and help. Once I figure this out, I'm going to upload a How To to this forum. Anyways, here's my new comments:

1.) Can I use the "Manage SSL Certificate" to request each domain's certificates?

Joe: What do you mean by "each domain"? Obviously, you can request certificates for every domain your server hosts, so I guess that's not what you're asking...but, I can't quite figure out what you're trying to accomplish.

Samrich: So I would love to have all of my customers be able to access their mail on secure ports using SSL. Idealy the incoming and outgoing servers for each customer would be mail.customerdomain.com where "customerdomain" their actual domain name. I originally thought "Manage SSL Certificate" would be able to do all of this using Let's Encrypt but that hasn't been the case. HTTP/HTTPS works great but I'm struggling with mail.

2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should they go under?

Joe: I'd recommend not directing your users to a bunch of different names. Pick a central one for mail, and use that for everyone, no matter what domain they're in. It'll reduce the complexity of your deployment remarkably.

AFAIK, SMTP and IMAPS/POPS have no mechanism for selecting a certificate based on hostname (e.g. they can't have a bunch of certificates...just the one), so yes, any domain name you'll be connecting to SMTP and IMAPS/POPS with will need to have the same certificate that covers all of the names you'll be connecting with.

Samrich: So your first part above sounds good. So I would have everyone use something like:
Incoming Mail Server: mail3.mydomain.net
Outgoing Mail Server: mail3.mydomain.net
This would be used instead of: mail.customerdomain.com where "customerdomain" is what ever my customer's actual domain name is? Would this cause black list problems as mail for a customer's domain would now be coming from mydomain.net and the sending email account would not match the sending server domain?

So your second part, then how would I go about requesting the SSL certificate from Let's Encrypt with all of the customer domains? Altering my steps in the original post, I would only get an SSL certificate for customerdomain.com and www.customerdomain.com for customer domains and then for the email server mydomain.net account I would add mail.customerdomain.com for each of my customers in the "Domain names listed here" field.

3.) At any point should I ever click either the "Copy to Dovecot" or "Copy to Postfix" buttons after getting the Let's Encrypt certificate for a domain?

Joe: Yes. That's how a certificate is installed for use by mail services. Until you click that, you'll be using the default self-signed certificates (which should work, but will generate a warning when you connect and won't have any domain names associated with them except the name of the host).

Samrich: So, I've noticed that in Webmin -> Servers -> Dovecot IMAP/POP3 Server -> Edit Config Files then on about line 104 I see the following list:

local_name mail3.mydomain.net {
  ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
  ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name www.mail3.mydomain.net {
  ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
  ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name www.mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name mail.mydomain.com {
  ssl_cert = </home/mydomcom/ssl.cert
  ssl_key = </home/mydomcom/ssl.key
}
local_name one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name www.one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name mail.one.com {
  ssl_cert = </home/onecom/ssl.cert
  ssl_key = </home/onecom/ssl.key
}
local_name two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name www.two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name mail.two.com {
  ssl_cert = </home/twocom/ssl.cert
  ssl_key = </home/twocom/ssl.key
}
local_name three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}
local_name www.three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}
local_name mail.three.com {
  ssl_cert = </home/threecom/ssl.cert
  ssl_key = </home/threecom/ssl.key
}

It looks like Dovecot might be using the individual SSL certificates for each of the domains. Now for Postfix, I do not get the same results. If I press the "Copy to Postfix" button, for virtual server two.com then Postfix uses that SSL certificate for all accounts. Then I get an error message in the mail client (ie: thunderbird, outlook, etc.) that the certificate is for the wrong site.

4.) In the off chance that I click the "Copy to Postfix" or "Copy to Dovecot" button is there a way to undo that?

Joe: Not automatically, no. You could back them up manually before-hand. But, you shouldn't need to. A self-signed certificate has no value...don't worry about replacing it.

Samrich: Ok.

Fri, 08/30/2019 - 09:04 (Reply to #7)
Gashumba

I would have hoped for an answer to samrich's question because this is the thing that irks the most when it comes to customers' email settings.

Wed, 04/24/2019 - 04:11
Hans

"...for Postfix, I do not get the same results. If I press the "Copy to Postfix" button, for virtual server two.com then Postfix uses that SSL certificate for all accounts. Then I get an error message in the mail client (ie: thunderbird, outlook, etc.) that the certificate is for the wrong site."

I ran into the exact same problem: when I generate an ssl cert for one host and add it to postfix, ALL other virtualmin hosts use this single cert for sending mail, i.e. postfix/smtp via ssl.

Have you been able to solve this, Sam? Cheers

Fri, 05/24/2019 - 13:33
SteveR

Hans, With Postfix I only got this to work for virtual servers if they had separate ip addresses, and you have to manually edit /etc/postfix/master.cf and use server dependent mapping to bind the ip addresses, it is quite a painful process to get it working correctly e.g. in master.cf

1:2:3:4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/home/site1/ssl/ssl.cert -o smtpd_tls_key_file=/home/site1/ssl/ssl.key

port 465

1:2:3:4:smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/home/site1/ssl/ssl.cert -o smtpd_tls_key_file=/home/site1/ssl/ssl.key

It is probably a lot easier to set the mx record to the same single mail server for all virtual hosts, then you just need a cert for a single mail server.

Fri, 05/31/2019 - 15:56
m1ngaa
m1ngaa's picture

Does cPanel or Plesk somehow solve this?

Say you host like 20 domains, for all sorts of clients. And you install different certificates for all of them, and they configure their Outlook, or mail client they get a pop up saying their certificate is invalid etc. I'd really like a solution to this. I've been asking a couple of my clients to enter my domain name when configuring their mail client :(

Thanks guys.

Thu, 10/17/2019 - 16:24
netfuel

Is there a solution to this other than giving customers the root/main domain as send/receive detail?

netfuel

Fri, 10/18/2019 - 03:18
adamjedgar

what i would like to know...

  1. why can virtual servers have their own SSL for web but not for mail?

  2. Is there an alternative to Postfix that can provide each Virtualmin>Virtual Server/domain with its own SSL in an environment where multiple domains are being hosted on a single server with 1 IP address?

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au

Fri, 10/18/2019 - 05:16
Jfro

Don't know if / when postfix support SNI on one ip. ( BUT EVEN if, you're probable stucked with the VERSION of/in your OS repo)

With seperate IP's it is possible for long time to have separate SSL per domain also for mail.

Don't know why one want that ( SNI mail on ONE IP and then cerst for mail per domain i mean here) if you hav a real only one emailserver postfix.... Why not use this postfix as it was made for?

IS the most easy way , set mx record as it should , teach your users how to config their mail und fertig.

https://community.letsencrypt.org/t/many-le-ssl-certs-assigned-to-postfi... read #5 here to

https://www.virtualmin.com/node/57366

You might consider replacing Postfix with Exim, which does support SNI and is deployed widely to take advantage or something with proxy hmm

K.I.S. keep it simple.... haha joking.

Your Custommers could pay little more and have own ip per domain that solves this problem to. You can go for domain / mail IPv6 only?

Better a lot of hosters offer much better mailsupport with external configured mailservers only for all thier hosting packages, they do serveradmin for that box , and some more advantages.

Also having own mailserver is more risks to get on blacklist with your server ip if not doing things well, using php mailform wrong, using forwarders wrong and so on.

Tue, 11/26/2019 - 05:10
Hans

Let's Encrypt SSL cert just auto-updated (good! :) but clients call, complaining their access to POP and IMAP is f'ed up :(bad!)

Isn't there any way to separate Apache ssl (different for each Domain) from Postfix ssl (apparently ONE for the entire server)?

Customers on macOS cannot even fix/update the new certs in Apple Mail and have to erase the entire Mailbox and set up a new one in order to get things back to work w. the new cert, every 3 months?

Cheers