How do you configure your email certs?

Discussion in 'Installation/Configuration' started by SamTzu, Sep 20, 2018.

  1. SamTzu

    SamTzu Active Member

    I'm curious. How do you guys do it? How do you keep your email certs straight?
    This is how I'm doing it now on mf1 server...

    [email protected]:~# ls -ahl /etc/postfix/smtpd.*
    lrwxrwxrwx 1 root root 48 Sep 5 07:44 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Sep 5 07:44 /etc/postfix/smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

    [email protected]:~# ls -hla /usr/local/ispconfig/interface/ssl/ispserver.*
    lrwxrwxrwx 1 root root 46 Aug 30 09:20 /usr/local/ispconfig/interface/ssl/ispserver.crt -> /etc/letsencrypt/live/mf1.ic4.eu/fullchain.pem
    -rwxr-x--- 1 root root 1.7K Aug 30 08:59 /usr/local/ispconfig/interface/ssl/ispserver.csr
    lrwxrwxrwx 1 root root 44 Aug 30 09:20 /usr/local/ispconfig/interface/ssl/ispserver.key -> /etc/letsencrypt/live/mf1.ic4.eu/privkey.pem

    PS. If I add an website alias to mf1 website does that also work for postfix/dovecot cert?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks fine to me. What's important is that you use symlinks instead of editing the paths in postfix/dovecot config files.

    Yes, that should work as well.
     
    ahrasis likes this.
  3. ahrasis

    ahrasis Well-Known Member

    As confirmed by @till it should work that is after you disable then save and reenable then save letsencrypt box in mf1, so that the original certs are expanded to cover the new website as well.

    For multi server setup, if you intend to use for it by scp or resync the certs folder to mail server, it may be good to rename in the mail server the copied /etc/letsencrypt/live/mf1.ic4.eu to the /etc/letsencrypt/live/mail.ic4.eu or symlink to it after you are done.

    However, note that if your mail website is using mail server fqdn but on different public ip from mf1, then creating alias website to mf1 as described above may not work.

    One idea I have not tested to fix that is add both public ip to mail server fqdn e.g. mail.ic4.eu A records. Again this solution is not tested but in theory it is likely to work, as safe failover on one ip supposedly go to the other ip on its A records.
     
  4. maverickws

    maverickws New Member

    I have different domains for smtp and imap. what I do is I create a symlink directly to the live folder of let's encrypt, at /etc/letsencrypt/live/domain.name

    smtpd.cert -> cert.pem
    smtpd.key -> privacy.pem
     
  5. SamTzu

    SamTzu Active Member

    I was wondering why the certs for alias sites did not seem to work.
    Thx 4 the tip Ahrasis.
     
  6. SamTzu

    SamTzu Active Member

    PS. When I temporarily removed the Letsencryption I of course lost the ISPC cert and had to use IP to get it back.
     
  7. ahrasis

    ahrasis Well-Known Member

    Actually you should not loose ISPC certs if they are symlinked to its fqdn LE certs, as disabling and saving LE box for mf1, supposedly, won't remove the LE certs or their symlinks at all, because it only deactivate LE SSL for its website on port 443, but not port 8080, unless you use your ISPConfig on port 443 with its hostname fqdn instead.
     
  8. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    This works for dovecot but not for postfix. Postfix does not support SNI.
     
    ahrasis likes this.
  9. SamTzu

    SamTzu Active Member

    Maybe the smart move here would be to sym link only Dovecot certs with letsencrypt files?
    Though I have not noticed any problems with Postfix using the certs that come with the Alias domains.
     
  10. ahrasis

    ahrasis Well-Known Member

    I think the created LE certs via alias domains is considered SAN thus it should work with no problem.
     

Share This Page