questions about secure email

[Ovidiu]

I run a web and mail server for a few domains. running with ispcfg3 and according to the perfect debian server howto.
some of the users of a particular domain are using outlook and no matter what I do they are asked about accepting my self-signed certificate. I tried many solutions to import it into their computers but all fail. they are still being asked about accepting the certificate every time they open outlook again.

I have now decided to get a proper certificate but am not sure where to start.

1. any affordable certificate providers you can recommend?
2. will I need only 1 certificate for the server or does every domain need their own?
3. if I need only one, will there be problems since every customer accesses their mail via i.e. mail.domain1.com others via mail.anotherdomain.com, etc?

sorry for these basic questions but I didn't find any good starting point via google to read up on this matter (any links are welcome)

[till]

Please see here:

http://www.howtoforge.com/securing-y...-from-startssl

[erosbk]

Till, Falko, this is a great howto!!! very very very usefull!

I have an ISPConfig multiserver environment, is it possible to create a certificate for a mail server (postfix, courier) and with it give access to every vdomain that access the server using its own url??

for example, people can access mail server thgouth imap/pop3/smtp.virtualdomain.com.ar

I think I should generate a certificate for the server mail1.myenterprisedomain.com.ar but I don't know if the certificate could work this way!

Thanks

[falko]

This works only if you get a multi-domain certificate. And each time you want to add a domain you must buy a new cert. So it's better to tell your customers to use a specific hostname for mail or to abandon TLS (or live with certificate warnings).

[Ovidiu]

@Falko:

I finished reading that tutorial and was just about to ask the same question:

Do you really need to buy a new certificate every time you want to add a new domain to the multi-domain certificate?
I am asking because they actually make you pay for the verification process, the certificates are free but you need to verify your identity for the multi domain certs.

I'll ask them too if it would be possible to ask for a new free certificate every time I add a domain to my hosting portfolio or not.
If needed I'll get a certificate for my hxxxxx.stratoserver.net and have them all use that for accessing their emails.

[falko]

Quote:

Originally Posted by Ovidiu

Do you really need to buy a new certificate every time you want to add a new domain to the multi-domain certificate?
I am asking because they actually make you pay for the verification process, the certificates are free but you need to verify your identity for the multi domain certs.

If you use StartSSL, I think you are right - you pay for verification once, and then you can get as many certs as you need for free within 350 days. But other CAs will make you pay for each new cert.

[Ovidiu]

just double checking:

this field: Common Name (eg, YOUR name) []: <-- example.com

needs to be filled with i.e. h187xxxx.stratoserver.net right?

[Ovidiu]

I have hit another bigger problem:

to get my certificate from startssl.com I need to verify ownership of the domains I want to get a certificate for but unfortunately most root server providers assign you a default name within their domain, mine is i.e. hxxxxxxx.stratoserver.net and startssl.com only offers validation for domains, not sub domains.
They say you could get a certain paper signed by the domain owner and then come back but that would be quite a difficult process and I am not sure if Strato will comply.

What other slutions are there? i.e. getting a spare domain just for "naming" my server? woudl that do? But I guess then I need to change not only the hostname but a lot of other services's configuration, right?

[falko]

Quote:

Originally Posted by Ovidiu

needs to be filled with i.e. h187xxxx.stratoserver.net right?

Right.

Quote:

i.e. getting a spare domain just for "naming" my server? woudl that do? But I guess then I need to change not only the hostname but a lot of other services's configuration, right?

Use one of your own domains for your hostnames and services. You are right, you will have to reconfigure some services, e.g. your server's hostname, Postfix, etc.

[Ovidiu]

I have a huge problem right now:

I simply ignored h1870666.stratoserver.net my hostname given by strato and created a certificate for all other domains I am using, since I thought I wouldn't use h1870666.stratoserver.net.

I followed the startssl tutorial linked above by Till and now postfix keeps complaining the whole time.
I foudn the comment on that tutorial: http://www.howtoforge.com/securing-y...#comment-31033 but even with that correction postfix keeps complaining:

Quote:

van 31 15:47:01 h1870666 postfix/smtpd[4854]: warning: TLS library problem: 4854:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:722:

Is this easily fixable? is it because I simply ignored the existence of h1870666.stratoserver.net?
the point is that everyone using mail and TLS is using mail.theirdomain.tld to retrieve so I assumed h187066.... wouldn't need a certificate itself.

any hints? quickest way to restore everything?

If its a bigger problem, I'd pay to get it solved.