Default FQDN domain alias

Discussion in 'General' started by marceloleaes, Feb 12, 2022.

  1. marceloleaes

    marceloleaes New Member

    I would like to create an alias that points to the FQDN configured during installation, but it is not listed in the interface.

    The intention is that there is an alias of the type: --->

    Outlook and other email clients stop issuing alerts that the certificate that is in use in postfix was not issued for the domain.

    Is there a way to do it?
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Usually it is better to not use, but instead all clients have the as mail server in MX record. This forum has old discussions on this.
    It is unclear (at least to me) what exactly you are asking. I assume you are using ISPConfig since you posted on ISPConfig forum. ISPConfig has in EMail tab the email domain alias setting, but maybe what you mean is something else? If what you mean is you want for automatically created MX that points to, that is done with DNS template (in ISPConfig Panel) that includes that setting.
  3. marceloleaes

    marceloleaes New Member

    Hello Taleman
    Let me explain better..
    When isp is installed, one of the last steps is to create the lets encrypt certificate for the right hostname? this one is linked to postfix, proftpd and apache. To configure email clients, start using this address that received the certificate.. in this case

    If I create an entry in a different domain hosted on the same panel for example: and configure it in the email client, I get alert that the server certificate is not the same as the configuration address.

    My idea would be to create a domain alias pointing the new address to

    I believe that this way the email clients will no longer display the alert, but the is not available in the list of domain aliases. This is the doubt, is there a way to list all domains and subdomains including the default.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This has been discussed in various threads already and you should only use the system hostname in your email client settings as @Taleman mentioned and not subdomains of customer domains.
  5. marceloleaes

    marceloleaes New Member

    Thanks for the explanation till
    Is there anything planned so that in the future it will be possible to use multiple certificates based on hosted domains?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Such a configuration would be suitable for very tiny installations only like a corporate mail server with just one or a hand full of domains as your system will potentially break for all clients if one client decides to alter the DNS of his subdomain and point it to a different server as the renewal for all domains in that cert might fail then. That's why most users would not use such a setup anyway. We do not plan to implement that at the moment, it's just to fragile and users will complain when their systems start failing due to that. You can set it up manually by creating a website and adding alias domains and then pointing the system components that you want to use to this SSL cert and key, but be aware that a Let's encrypt cert can contain max 100 (sub) domains. E.g. I had a customer recently who decided to set up SSL as you plan it, he set up a larger multiserver system able to host hundreds of customers, but his services started to fail after he added customer no. 34 due to his SSL cert decision with 3 subdomains per customer domain. He then had to roll back his whole setup, switch to a central mail server name as we propagate it, and then explain to every customer to set up every mailbox again using that name.
  7. marceloleaes

    marceloleaes New Member

    I understand
    My case is the following, it is a panel to serve a group of companies they are from the same main company but the webmail address, logos, have to be from their respective company.
    I'm going to evaluate how to do it through the prompt, what I suggested of just creating an alias domain would suit me in this specific case is that I can't use the email server name in the other companies in the group because there can be no link between them.
    Grateful as always for the prompt attention of friends in answering questions.

    Strong hug
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I guess if they need to use their own domain separate from each other then you should create other email server for each domain. Is that too much hassle?
  9. marceloleaes

    marceloleaes New Member

    Hello ahrasis
    They have a server on the Oracle Cloud.
    There would be additional cost involved to own more machines, and it would also be more work for me to keep them up to date.
  10. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    i thought, with an alias/cname, the connection to the target server is still made using the original requested FQDN, so even with the alias, you would still get a cert warning unless the client domain fqdn is included in the cert.

    the obvious solution to this would be SNI, so each client domain has it's own certificate configured with postfix. unfortunately ispconfig does not support this itself, it can still be done, but you would need to configure it manually outside of ispconfig.

    although this is, i guess, to make client side email configuration easier or fully automatic. in which case another option is the automail plugin by schaal, which allows autoconfiguration of thunderbird, older versions of outlook etc.
    although it seems microsoft made undocumented changes to the protocol, so it doesn't work on the more recent versions of outlook, and i'm not aware of anyone finding a fix to this yet.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Postfix supports this just for the latest versions, we might add it in future, but most older systems won't be able to use that. But you can use a multidomain SSL certificate on older systems by creating a website in ISPConfig, adding all (sub) domains as alias domains that you want to have in that SSL cert and enable let's encrypt for that site. Then set the symlink for the postfix and dovecot SSL certs to the cert of that site.
    Th0m likes this.

Share This Page