How to support secure email for every domain? TLS or SSL

2 posts / 0 new
Last post
#1 Sat, 12/07/2019 - 01:46
dakser

How to support secure email for every domain? TLS or SSL

Hi, currently the server can use the SSL cert to secure conections for dovecot or postfix, but having several domains I receive complains from users that Outlook or any email client alerts that the conection may be insecure because the cert of the server doesn't match the domain of the email, are any way to solve this? Thanks in advance.

Sat, 12/07/2019 - 02:54
adamjedgar

My understanding is thats because your clients are using "shared" hosting (ie all virtual server/domains on your system are sharing one ip address...the one your server uses).

Postfix cannot handle multiple ssl certificates on a single ip address, so all of the users domain email accounts are trying to use the ssl that belongs to your webserver/mail server itself.

i think this means they need to alter their dns records and also email client app setup to avoid this.

In my setup i use the following for client dns and apps

DNS
clientdomain.com A record <myserver ip address>

clientdomain.com MX record host.mydomain.com (as shown in when logged in as root in Virtualmin>dashboard>system hostname)

Client email Apps (lets say my host.fqdn is web1.adamshosting.com)

"START TLS"

Incoming mail server: web1.adamshosting.com SMTP Port=587
Outgoing mail server: web1.adamshosting.com IMAP port = 143

or just plain "SSL"

incoming mail server= web1.adamshosting.com SMTP port = 465
Outgoing mail server= web1.adamshosting.com IMAP port = 993


I think if you are still getting warnings, perhaps clients need to purchase their own ipaddresses for virtual server then they can copy their Letsencrypt SSL certs to Postfix.

BTW, i have found that one should not try to copy every virtual servers SSL cert to Postfix. For me, doing this overwrites my servers own SSL for Postfix (at least thats what i think it does). then clients email starts trying to use which ever SSL cert was most recently copied to Postfix. The dns mx records are now all over the place because client dns mx records are pointing at your server itself, but your email SMTP server (Postfix) is returning postfix SSL certificates for the wrong domain and not your host system that Postfix runs on (the one you most recently copied from a new clients virtual server).

I believe that you should only copy 1 certificate to Postfix...your webmin one for the server itself, unless you have multiple ippaddresses on your system (perhaps someone else can clarify this)

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin

https://ajecreative.com.au