ISPConfig 3 - share host certificate with mail domains?

Discussion in 'General' started by meursault, Nov 21, 2020.

  1. meursault

    meursault New Member

    I have an ISPConfig instance with multiple domain aliases set for mail.clientdomain.com of every of my clients domains to point to my host domain (host.mydomain.com) in order to share the Let's Encrypt certificate of the host with all these mail domains (they go in the SAN field of the certificate).

    I haven't found a better way to do this with ISPConfig. Is there?

    My problem is, however, that for every new client, i must configure a domain alias like that for their mail.clientdomain.com to point to my host domain and then restart postfix and dovecot services so they can load the newly generated LE certificate with the new client's domain included in the SAN field.

    If there isn't a better way to provide my host certificate for every client's mail domain, is there at least a way to automate this, i.e. auto-add a new domain alias upon addition of a new site in ISPConfig and auto restart both mail servers?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Take a look at https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/

    Automatically adding alias could be done by writing a API script. But I recommend using smtp.example.com and imap.example.com and have clients connect to that instead of their own domain. At a certain point you reach maximum of alias domains for the cert and clients can see who's hosted by you if they look at the cert details which is unprofessional imo.
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    The preferred way is as said by @Th0m i.e. always connect via server's domain(s) not client's domain(s), that way it will be easy to setup and maintain.

    Adding client's domain should only be provided as a premium service for the hassle that you'll be facing in setup and maintenance.

    This is where ISPConfig multiserver setup become very useful and powerful in managing such a premium setup.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    One solution would be to create a server plugin. You would have to decide what event it fires on, eg. when you add a dns zone, or when you add a mail domain. You need to have dns setup and answering before requesting the certificate to be set up, so might need to queue the job or sleep a bit and maybe test dns.

    Another option could be to query what mail domains there are from a cronjob, test dns for those, and request a certificate with all the names which are currently setup. That would eliminate queuing the task for later, but would also have more of a delay in the certificate being setup.

    As noted, there is a limit on number of domains per certificate, as well as various request limits that you wouldn't want to hit with your automated requests.
     
    Th0m likes this.
  6. gb78

    gb78 New Member

    like some others who were new to ispconfig, I come from imscp. there was an option in the admin panel to add DNS names to the Lets Encrypt certificate for mail / FTP. It might be difficult to code, but it was very easy to use.
     

    Attached Files:

  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is possible with ISPConfig aswell, I mentioned the tutorial for that in #3 and in that tutorial I also refer to a other tutorial which explains how you can set this up for other services like PureFTPd.
     

Share This Page