Perfect Server - Multi certs for Dovecot & Postfix

Discussion in 'General' started by SamTzu, Apr 11, 2018.

  1. SamTzu

    SamTzu Active Member

    Does any1 have an idea how to combine multiple Certbot certificates for email use?
    I'm thinking something like this...
    mattila.eu and tuonoset.fi would both be on the same ISPConfig server and the Dovecot and Postfix would provide Certbot created (and updated) certificates for both of those domains (and others.)

    Sam
     
    Last edited: Apr 11, 2018
  2. SamTzu

    SamTzu Active Member

    This would allow clients to easily make accounts on their Outlook apps since those usually search for something like mail.mattila.eu by default and if it does not find it it fails. Android apps usually search for imap.mattila.eu and smtp.mattila.eu.
     
    Last edited: Apr 11, 2018
  3. SamTzu

    SamTzu Active Member

    Best option would be a combination cert that has all of the above.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    A certbot ssl cert can contain up to 100 domains.
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    postfix does not support sni. you should use one hostname for all accounts for mail and you can setup a small site to provide autoconfig / autodiscover.
    maybe this helps you a little bit: https://schaal-it.com/ispconfig-automail/
     
    maverickws and webguyz like this.
  6. SamTzu

    SamTzu Active Member

    Is that per server or per site/cert?
    In any case that would limit Dovecot & Postfix to a 100 domains per server.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    100 domains per cert, if I remember correctly. But you can probably look that up on the LE website.
     
  8. SamTzu

    SamTzu Active Member

    Automailer seems interesting but it only works well with autoconfig mode and that takes care of Adroid apps.
    Autodiscover still gives cert error message.
    So basically all Outlook clients are still going to have problems.
    Does any1 know what Apple clients use?
     
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    iirc apple uses autodiscover

    if you don't want the cert-warning just create autodiscover for all customer-domains with ssl enable and forward the request to your "central" site.
     
  10. iqpascal

    iqpascal New Member

    Automail does not seem to have a little bit of a bug. When I do not check "SSL IMAP/POP3" and/or "SSL SMTP" it stil adds starttls to the XML file (at least for autoconfig, have not tested autodiscover just yet). And for port 993 IMAP it uses STARTTLS too while I believe that should use SSL/TLS.

    But other than that superb module. Thank you :)
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Yes, there was a bug in the index.php for the website. Just change line 29 to
    Code:
    $out[]=array('name'=>'socketType','value'=>$ssl);
    AFAIK STARTTLS is ok?
     
  12. SamTzu

    SamTzu Active Member

    The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

    If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.
     
  13. Loveless

    Loveless Member

    I've done this for some servers, even with the wildcard certs now (i.e. *.domain.de) using ACME 2 servers and cloudflare DNS: https://gist.github.com/jult/e4dd064e3988aa111ea2194b05bc69f5
    Thus far this turns out the most failsafe way to get valid certs.
    You can easily expand the cert with new domain names, just add them to the command after another comma..
     
    Jesse Norell likes this.
  14. SamTzu

    SamTzu Active Member

    @Loveless
    How does that script work with ISPconfig Letsencrypt?
     
  15. ahrasis

    ahrasis Well-Known Member

    I think he means if you are using CloudFlare dns service for your domain, you can add wildcard to your domain certs for subdomain, other than adding extra domains.

    With that regards, I also covered CloudFlare but a little bit differently in Create Lets Encrypt SSL Certs via Certbot DNS Validation in Acme v02 and I also posted raw solution on how to create wildcard if you are using ISPConfig (or other bind server) as your dns server.

    Using certbot dns validation, LE certs may therefore be issued for any ispconfig server without a need to have its own website and its renewal is covered by ISPConfig LE renewal cron which runs every night.
     
    Last edited: Sep 21, 2018
  16. Loveless

    Loveless Member

    It works alongside ISPconfig, but I've stopped using ISPconfig for certs. I resorted to using my own method, since the way ISPconfig does it wasn't to my liking (frankly it was like opening a can of worms, especially since they still use apache converted configs for nginx. I've been running nginx without apache for years now..)
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig never used a config converted from apache for nginx. It might be that you don't like the way ISPConfig is configuring nginx, but saying that the config was converted from apache is pure nonsese and ISPConfig does not even support running apache alongside nginx. So I guess you mix up panels here as e.g. Plesk is doing such a setup with apache alongside nginx but not ISPConfig, ispconfig supports pure apache or pure nginx setups only.
     
    Last edited: Oct 12, 2018
    ahrasis likes this.
  18. Jesse Norell

    Jesse Norell Well-Known Member

    @florian030 by 'forward' do you mean an http redirect, or a reverse proxy in the back end?

    I'm wondering how feasible it would be to make this more or less automatic for client domains. Eg. basically check if the domain's autoconfig hostname is in dns and resolves to the local server (if 'Skip Lets Encrypt Check' is disabled), and if so request a certificate for it (eg. for *just* that one hostname, not as part of the main websites certificate (or lack thereof)), and setup a vhost to handle the request (either http redirect/proxy, or even specify DocumentRoot to be a shared automail install on the web server).

    I guess I'm also wondering, how many complaints do people get about the certificate warning for autodiscover?
     
  19. SamTzu

    SamTzu Active Member

    So far most cert complaints seem to come from iPhone people (for postfix/dovecot Letsencrypt certs.)
     
  20. c3n

    c3n Member

    SOLUTION for postfix/dovecot working SSL LE MULTIDOMAIN!

    First make all steps from here https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    than check ports 465 and 993 if LE is ok. should be fine.
    lets say You got hostname 1392.server.com and lots domains on this server and want for example that client with my-domain.com have also proper LE for 465/993.
    Than follow steps:
    create website in ISPpanel for 1392.server.com (without WWW) issue LE for it with above tutorial. Check if LE is working.
    Now other domains. For each domain on this server U want to fix certificate warning without giving clients server hostname make proper DNS records for mail.my-domain.com pointing to 1392.server.com
    now create in ISP PANEL: aliasdomain for website.
    You create alias mail.my-domain.com > 1392.server.com (without WWW)
    I';ve tested this solution for last few days on dozens VPS... and it is working like charm. You dont have to change server hostname.
    Another nice thing is that if You got some speciali client with lots of outlook etc. You can create more:
    1) make another DNS records for smtp, pop3, imap subdomains pointing to server
    2) create alias for each subdomain pointing to main host-server (without WWW)
    Now if outlook have autofill smtp.some-domain.com, and imap.some-domain.com You will not receive any notice about SSL.

    notice: on some VPS upgraded D8> Debian9 I got notice about linked certificate in postfix. I was searching whole day for solution and frankly I just copied working settings for clean Debian9 postfix (of course with proper hostname etc.)...

    ICRON
    I dont know what about PEM file from
    cat ispserver.{key,crt} > ispserver.pem
    https://www.howtoforge.com/tutorial...ript-for-your-ispconfig-pem-file-ispserverpem
    in my opinion it must be created for the first time with proper chmod.
    I did this before LE renewal with multidoamain... untouched ispserver.pem and restarted server... LE multidomain working on outlook... so maybe if U got LE SSL only for dovecot / postfix U can skip this last step (above URL)

    have fun

    [machines created based on tutorial debian 9 nginx and apache2 and also some machines upgraded from Debian 8>9]
     
    Last edited: Feb 6, 2019
    Realware likes this.

Share This Page