Perfect Server - Multi certs for Dovecot & Postfix

Discussion in 'General' started by SamTzu, Apr 11, 2018.

  1. SamTzu

    SamTzu Member

    Does any1 have an idea how to combine multiple Certbot certificates for email use?
    I'm thinking something like this...
    mattila.eu and tuonoset.fi would both be on the same ISPConfig server and the Dovecot and Postfix would provide Certbot created (and updated) certificates for both of those domains (and others.)

    Sam
     
    Last edited: Apr 11, 2018
  2. SamTzu

    SamTzu Member

    This would allow clients to easily make accounts on their Outlook apps since those usually search for something like mail.mattila.eu by default and if it does not find it it fails. Android apps usually search for imap.mattila.eu and smtp.mattila.eu.
     
    Last edited: Apr 11, 2018
  3. SamTzu

    SamTzu Member

    Best option would be a combination cert that has all of the above.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    A certbot ssl cert can contain up to 100 domains.
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    postfix does not support sni. you should use one hostname for all accounts for mail and you can setup a small site to provide autoconfig / autodiscover.
    maybe this helps you a little bit: https://schaal-it.com/ispconfig-automail/
     
    webguyz likes this.
  6. SamTzu

    SamTzu Member

    Is that per server or per site/cert?
    In any case that would limit Dovecot & Postfix to a 100 domains per server.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    100 domains per cert, if I remember correctly. But you can probably look that up on the LE website.
     
  8. SamTzu

    SamTzu Member

    Automailer seems interesting but it only works well with autoconfig mode and that takes care of Adroid apps.
    Autodiscover still gives cert error message.
    So basically all Outlook clients are still going to have problems.
    Does any1 know what Apple clients use?
     
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    iirc apple uses autodiscover

    if you don't want the cert-warning just create autodiscover for all customer-domains with ssl enable and forward the request to your "central" site.
     
  10. iqpascal

    iqpascal New Member HowtoForge Supporter

    Automail does not seem to have a little bit of a bug. When I do not check "SSL IMAP/POP3" and/or "SSL SMTP" it stil adds starttls to the XML file (at least for autoconfig, have not tested autodiscover just yet). And for port 993 IMAP it uses STARTTLS too while I believe that should use SSL/TLS.

    But other than that superb module. Thank you :)
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Yes, there was a bug in the index.php for the website. Just change line 29 to
    Code:
    $out[]=array('name'=>'socketType','value'=>$ssl);
    AFAIK STARTTLS is ok?
     
  12. SamTzu

    SamTzu Member

    The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

    If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.
     
  13. Loveless

    Loveless Member

    I've done this for some servers, even with the wildcard certs now (i.e. *.domain.de) using ACME 2 servers and cloudflare DNS: https://gist.github.com/jult/e4dd064e3988aa111ea2194b05bc69f5
    Thus far this turns out the most failsafe way to get valid certs.
    You can easily expand the cert with new domain names, just add them to the command after another comma..
     
    Jesse Norell likes this.

Share This Page