Email domain SSL certificate

Discussion in 'Installation/Configuration' started by TheRightClick, Nov 9, 2020.

  1. TheRightClick

    TheRightClick New Member

    I have a server running Debian 10 (Buster), Postfix, and ISPConfig 3.2. The common issues check returns that all is good.
    I am trying to set up an email domain along with an email address for a domain not hosted on this server.
    Let's say the domain is library.example. I've got MX example -> library.example and A library.example -> 123.123.123.123
    I've also added a website via ISPConfig and enabled Letsencrypt for it. Visiting library.example. brings up the default site index secured normally over https.
    I've added an mail domain and an email mailbox no-reply[at]library.example
    When I go and set up Thunderbird using the credentials I entered, I see the normal "Welcome to your new email account" in my Inbox but when I try to send a test email I get a warning that the location library.example:587 is trying to identify itself with invalid information because Postfix is presenting the server certificate that ISPConfig generated.
    I've tried removing and re-adding the mail domain several times etc, each time I get the same behavior. This problem does not appear for any of the other sites that I host (proper websites and mail domains) on the same server.
    Any ideas how I can fix this?

    Thanks in advance,
    Jim
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My signature has link to e-mail setup on ISPConfig.
     
  4. TheRightClick

    TheRightClick New Member

    Th0m, I read that thread while researching a solution but I had concerns about practicality since for every domain that I'm currently hosting and for every domain that will be added in the future I'd have to add an alias.

    What I was going for was something along the lines of lxadm.[com]/Postfix_and_multiple_SSL_certificates since then, if I'm not mistaken, all the mail.site.com domains would be able to use their Letsencrypt cert instead of the server cert. Would that be correct? Perhaps a feature requesst should be added?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should not add those domains as alias. Let your clients connect to mail.yourcompany.com instead of mail.clientdomain.com. This is the best way to do this.

    There is a request for Dovecot: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3794
     
    TonyG and ahrasis like this.
  6. ahrasis

    ahrasis Well-Known Member

    Agreed. The use of mail.clientdomain.tld should be considered as a premium service due to considerable amount of its setting and maintenance.
     
  7. TheRightClick

    TheRightClick New Member

    I'd be willing to devote developer resources towards this (and Postfix) if I could get a few pointers about how to proceed. I've got a good developer team but Dovecot/Postfix is not their specialty. Could we work out a spec?
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Read more about SNI for Postfix and dovecot, for example:
    http://www.postfix.org/postconf.5.html#tls_server_sni_maps
    https://doc.dovecot.org/configurati...client-tls-sni-server-name-indication-support

    @Jesse Norell might have some pointers aswell.

    Still, I don't recommend using this but use mail.hostingdomain.com instead where possible. If you are implementing this, I would make it selectable per domain, so not every domain is added.
     

Share This Page