Perfect Server - Multi certs for Dovecot & Postfix

Discussion in 'General' started by SamTzu, Apr 11, 2018.

  1. SamTzu

    SamTzu Member

    Does any1 have an idea how to combine multiple Certbot certificates for email use?
    I'm thinking something like this... and would both be on the same ISPConfig server and the Dovecot and Postfix would provide Certbot created (and updated) certificates for both of those domains (and others.)

    Last edited: Apr 11, 2018
  2. SamTzu

    SamTzu Member

    This would allow clients to easily make accounts on their Outlook apps since those usually search for something like by default and if it does not find it it fails. Android apps usually search for and
    Last edited: Apr 11, 2018
  3. SamTzu

    SamTzu Member

    Best option would be a combination cert that has all of the above.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    A certbot ssl cert can contain up to 100 domains.
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    postfix does not support sni. you should use one hostname for all accounts for mail and you can setup a small site to provide autoconfig / autodiscover.
    maybe this helps you a little bit:
    webguyz likes this.
  6. SamTzu

    SamTzu Member

    Is that per server or per site/cert?
    In any case that would limit Dovecot & Postfix to a 100 domains per server.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    100 domains per cert, if I remember correctly. But you can probably look that up on the LE website.
  8. SamTzu

    SamTzu Member

    Automailer seems interesting but it only works well with autoconfig mode and that takes care of Adroid apps.
    Autodiscover still gives cert error message.
    So basically all Outlook clients are still going to have problems.
    Does any1 know what Apple clients use?
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    iirc apple uses autodiscover

    if you don't want the cert-warning just create autodiscover for all customer-domains with ssl enable and forward the request to your "central" site.
  10. iqpascal

    iqpascal New Member HowtoForge Supporter

    Automail does not seem to have a little bit of a bug. When I do not check "SSL IMAP/POP3" and/or "SSL SMTP" it stil adds starttls to the XML file (at least for autoconfig, have not tested autodiscover just yet). And for port 993 IMAP it uses STARTTLS too while I believe that should use SSL/TLS.

    But other than that superb module. Thank you :)
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Yes, there was a bug in the index.php for the website. Just change line 29 to
  12. SamTzu

    SamTzu Member

    The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name, the registered domain is In, the registered domain is We use the Public Suffix List to calculate the registered domain.

    If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.
  13. Loveless

    Loveless Member

    I've done this for some servers, even with the wildcard certs now (i.e. * using ACME 2 servers and cloudflare DNS:
    Thus far this turns out the most failsafe way to get valid certs.
    You can easily expand the cert with new domain names, just add them to the command after another comma..
    Jesse Norell likes this.
  14. SamTzu

    SamTzu Member

    How does that script work with ISPconfig Letsencrypt?
  15. ahrasis

    ahrasis Active Member

    I think he means if you are using CloudFlare dns service for your domain, you can add wildcard to your domain certs for subdomain, other than adding extra domains.

    With that regards, I also covered CloudFlare but a little bit differently in Create Lets Encrypt SSL Certs via Certbot DNS Validation in Acme v02 and I also posted raw solution on how to create wildcard if you are using ISPConfig (or other bind server) as your dns server.

    Using certbot dns validation, LE certs may therefore be issued for any ispconfig server without a need to have its own website and its renewal is covered by ISPConfig LE renewal cron which runs every night.
    Last edited: Sep 21, 2018 at 8:44 AM

Share This Page