Own Let's Encrypt SSL cert for every mail domains

Discussion in 'Installation/Configuration' started by Sas Sam, May 29, 2020.

  1. Sas Sam

    Sas Sam New Member

    Hi,

    I followed "The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1" as well as the "Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate" tutorials and all good now, the server is running fine. However, there is still one issue what I should solve somehow...

    How could I generate SSL certs for each mail domains with Let's Encrypt? So let say I have the following:
    • server.com - has SSL and it's working fine
    • domain-a.com - has SSL for its website and it's working fine
      • imap.domain-a.com - how can I create this and make sure it will renew itself?
      • smtp.domain-a.com - how can I create this and make sure it will renew itself?
    • domain-b.com - has SSL for its website and it's working fine
      • imap.domain-a.com - how can I create this and make sure it will renew itself?
      • smtp.domain-a.com - how can I create this and make sure it will renew itself?
    I tried to create a vhost/subdomain and then delete those, but I kept the certs and configs for those. But this approach doesn't work, unfortunately.

    Is there any solution for this issue?

    Thanks for the help in advance!
     
  2. nhybgtvfr

    nhybgtvfr Active Member

    to start with, you would need to keep a working subdomain, or vhost subdomain for each of those imap/smtp subdomains, otherwise letsencrypt wouldn't be able to renew the certs.
    you would then need to configure postfix to use sni, which i'm not sure ispconfig currently supports for postfix.

    or you would need to add all of those subdomains as aliasdomains to your main mail.domainname.tld certificate, and just use one certificate with every domain on it. this would limit how many domains you can use though, as letscencrypt will only that you add 100 alternate names.

    the usual method is to just use you main domain for the cert, and other domains just use that fqdn as their mx/pop/imap server address.
     
    Th0m likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You would also need to configure dovecot sni.

    This setup shouldn't be very hard to do on a single server, but there are some fundamental pieces missing right now to implement on multi-server. You could probably still do a quick hack to get that setup, but doing it right will take some work yet.
     
  4. Steini86

    Steini86 Active Member

    The widely accepted approach is to use a specific domain for all mail related things. (Can also help with reputation at anti-spam things).
    The "right" way would be with SNI, but imho this is not a "good" solution (at the moment(?) and that is also the way it is implemented.
    For example with the web sites you have a vhost file for each domain, where you configure individual certificates. If there is a config error (like missing certificate), this individual domain is not working and could be ignored/deactivated, leaving all other webs in a working condition. Such a missing certificate, for example, would block the mail server from starting and all domains would be offline.
    Additionally: For the outgoing mail (at least the last time I looked into this) will use the standard certificate/hostname of the server. And this is a must, as it should match the RDNS. So you will not get a 'transparent' implementation.

    You can try it for yourself, the postfix configuration is relatively simple: http://www.postfix.org/postconf.5.html#tls_server_sni_maps
    Code:
    /etc/postfix/main.cf:
        indexed = ${default_database_type}:${config_directory}/
        tls_server_sni_maps = ${indexed}sni.map
    
    /etc/postfix/sni.map:
    # One domain per line
    servername.serverdom.com /etc/letsencrypt/live/servername.serverdom.com/privkey.pem /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
    servername.otherdom.com /etc/letsencrypt/live/servername.otherdom.com/privkey.pem /etc/letsencrypt/live/servername.otherdom.com/fullchain.pem
    
    Then run "postmap -F hash:/etc/postfix/sni.map" and restart postfix.

    Similar for Dovecot:
    https://wiki.dovecot.org/SSL/Doveco..._TLS_SNI_.28Server_Name_Indication.29_support

    However, if really needed, I would just use a certificate that is valid for all used domains. For example, do not mess up with the ispconfig letsencrypt setup but instead use an additional client (for example acme.sh) with DNS challenge support and create a certificate with all the needed domains (letsencrypt is limited to 100 domains per certificate, though). It is perfectly fine to use duplicate certificates for a domain, as long as you don't hit the rate limit: https://letsencrypt.org/docs/rate-limits/
     

Share This Page