Many LE SSL certs assigned to postfix/dovecot

Discussion in 'Installation/Configuration' started by Poliman, May 25, 2018.

  1. Poliman

    Poliman Member

    I have server created based on Perfect Server tutorial for Ubuntu 16.04. Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs as possible? I have 20 domains on the server but postfix uses ispserver.crt and ispserver.key certs generated by letsencrypt:
    lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    which are from:
    lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt -> /etc/letsencrypt/live/
    lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key -> /etc/letsencrypt/live/
    For each domain except server fqdn I have certificate mismatch in mail client. Sending emails works but I would like to fix certs mismatch.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Let's encrypt allows it to have up to 100 domains in an SSL cert.
  3. Poliman

    Poliman Member

    Is possible adding more domains to postfix/dovecot cert using ISP? Each domain has LE SSL generated by ISP. Each domain is used for websites and additionally there are mailboxes. Currently postfix/dovecot use cert generated for server. I don't want break something. ;)

    @till If I would generate one lets encrypt cert including each domain I have on the server and attach it some way to postfix would it break lets encrypt cert generating from ISPconfig?
    Last edited: May 25, 2018
  4. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    I dont see why you need to do that. Unless you want each domain to have its own dedicated mail server then you would need to do some serious configs if you do not have multiple servers, im sure its possible to spawn a postfix instance and have that instance work of a specific config file but it would also mean you would need to have each instance on a dedicated port. Seems like a lot of work to me.

    if you are offering vps or dedicated hosting then the server will be set up per domain and mail, ftp etc are not really your concern, they are something the customer should be dealing with.

    What you should be doing if you are offering mail on a shared hosting is set up a dedicated mail server (2 possibly 3 actually). You would have a generic domain for it, something like as an example. Now to get this server to accept the domains mail you need to tell it to relay mail incoming and outgoing mail for the domain in question (be careful not to create an open relay this would open you up to spammers using your servers for evil), the simplest method down the road is mysql based but is harder to setup initially, once set up though it will save you many headaches because you can easily add mail domains, mail boxes etc on the fly without needing to open up config files every time you need a new email address.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was thinking about that too but @Poliman could have reasons for that of which we might not know.:cool:
  6. Poliman

    Poliman Member

    Thank you guys for advices. I am still learning. Thank you for patience and showing your perspective. It's important experience. On postfix mailing list Wietse Venema said on my concern:
    "Postfix does not yet support SNI, so you would need to update master.,cf
    with one smtpd definition per IP address with its own smtpd_tls_*cert_file
    and smtpd_tls_*key_file.

    But why? SMTP is not HTTP. With SMTP, the MX records for different
    domains can contain the same SMTP server hostname."

    So probably I have to setup one generic mail domain - like said @Chris_UK (and thought @ahrasis ;) ) and add this for each domain DNS zone in MX record. Am I right?
  7. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Yes you create/edit your dns zone template so that you can automatically apply the correct mx records to the zone at creation so you don't need to go and edit it at a later point.
  8. Poliman

    Poliman Member

    Ok. Thank you. One more thing - could you point me where I can edit templates (wow I didn't know there is such thing!)?
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is there a reason you do not read the manual? Chapter Templates
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Or you can simply explore DNS Zone page in your ISPConfig control. It is easier to navigate and understand each function that way. The manual and this forum is the main reference for any doubt of course.
  11. Poliman

    Poliman Member

    Thank you for advices. I have old manual, today I bought new one. I couldn't buy it earlier - I was waiting for approval from CEO.
  12. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    I would not say "can", i would say "should" ;)

    yes. one mailserver with one ip = the same hostname and mx-record for all domains.
    Poliman likes this.

Share This Page