Perfect Server - Multi certs for Dovecot & Postfix

Discussion in 'General' started by SamTzu, Apr 11, 2018.

  1. SamTzu

    SamTzu Member

    Does any1 have an idea how to combine multiple Certbot certificates for email use?
    I'm thinking something like this...
    mattila.eu and tuonoset.fi would both be on the same ISPConfig server and the Dovecot and Postfix would provide Certbot created (and updated) certificates for both of those domains (and others.)

    Sam
     
    Last edited: Apr 11, 2018
  2. SamTzu

    SamTzu Member

    This would allow clients to easily make accounts on their Outlook apps since those usually search for something like mail.mattila.eu by default and if it does not find it it fails. Android apps usually search for imap.mattila.eu and smtp.mattila.eu.
     
    Last edited: Apr 11, 2018
  3. SamTzu

    SamTzu Member

    Best option would be a combination cert that has all of the above.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    A certbot ssl cert can contain up to 100 domains.
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    postfix does not support sni. you should use one hostname for all accounts for mail and you can setup a small site to provide autoconfig / autodiscover.
    maybe this helps you a little bit: https://schaal-it.com/ispconfig-automail/
     
    maverickws and webguyz like this.
  6. SamTzu

    SamTzu Member

    Is that per server or per site/cert?
    In any case that would limit Dovecot & Postfix to a 100 domains per server.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    100 domains per cert, if I remember correctly. But you can probably look that up on the LE website.
     
  8. SamTzu

    SamTzu Member

    Automailer seems interesting but it only works well with autoconfig mode and that takes care of Adroid apps.
    Autodiscover still gives cert error message.
    So basically all Outlook clients are still going to have problems.
    Does any1 know what Apple clients use?
     
  9. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    iirc apple uses autodiscover

    if you don't want the cert-warning just create autodiscover for all customer-domains with ssl enable and forward the request to your "central" site.
     
  10. iqpascal

    iqpascal New Member HowtoForge Supporter

    Automail does not seem to have a little bit of a bug. When I do not check "SSL IMAP/POP3" and/or "SSL SMTP" it stil adds starttls to the XML file (at least for autoconfig, have not tested autodiscover just yet). And for port 993 IMAP it uses STARTTLS too while I believe that should use SSL/TLS.

    But other than that superb module. Thank you :)
     
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Yes, there was a bug in the index.php for the website. Just change line 29 to
    Code:
    $out[]=array('name'=>'socketType','value'=>$ssl);
    AFAIK STARTTLS is ok?
     
  12. SamTzu

    SamTzu Member

    The main limit is Certificates per Registered Domain, (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

    If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. Combined with the above limit, that means you can issue certificates containing up to 2,000 unique subdomains per week. A certificate with multiple names is often called a SAN certificate, or sometimes a UCC certificate.
     
  13. Loveless

    Loveless Member

    I've done this for some servers, even with the wildcard certs now (i.e. *.domain.de) using ACME 2 servers and cloudflare DNS: https://gist.github.com/jult/e4dd064e3988aa111ea2194b05bc69f5
    Thus far this turns out the most failsafe way to get valid certs.
    You can easily expand the cert with new domain names, just add them to the command after another comma..
     
    Jesse Norell likes this.
  14. SamTzu

    SamTzu Member

    @Loveless
    How does that script work with ISPconfig Letsencrypt?
     
  15. ahrasis

    ahrasis Well-Known Member

    I think he means if you are using CloudFlare dns service for your domain, you can add wildcard to your domain certs for subdomain, other than adding extra domains.

    With that regards, I also covered CloudFlare but a little bit differently in Create Lets Encrypt SSL Certs via Certbot DNS Validation in Acme v02 and I also posted raw solution on how to create wildcard if you are using ISPConfig (or other bind server) as your dns server.

    Using certbot dns validation, LE certs may therefore be issued for any ispconfig server without a need to have its own website and its renewal is covered by ISPConfig LE renewal cron which runs every night.
     
    Last edited: Sep 21, 2018
  16. Loveless

    Loveless Member

    It works alongside ISPconfig, but I've stopped using ISPconfig for certs. I resorted to using my own method, since the way ISPconfig does it wasn't to my liking (frankly it was like opening a can of worms, especially since they still use apache converted configs for nginx. I've been running nginx without apache for years now..)
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig never used a config converted from apache for nginx. It might be that you don't like the way ISPConfig is configuring nginx, but saying that the config was converted from apache is pure nonsese and ISPConfig does not even support running apache alongside nginx. So I guess you mix up panels here as e.g. Plesk is doing such a setup with apache alongside nginx but not ISPConfig, ispconfig supports pure apache or pure nginx setups only.
     
    Last edited: Oct 12, 2018
    ahrasis likes this.
  18. Jesse Norell

    Jesse Norell Well-Known Member

    @florian030 by 'forward' do you mean an http redirect, or a reverse proxy in the back end?

    I'm wondering how feasible it would be to make this more or less automatic for client domains. Eg. basically check if the domain's autoconfig hostname is in dns and resolves to the local server (if 'Skip Lets Encrypt Check' is disabled), and if so request a certificate for it (eg. for *just* that one hostname, not as part of the main websites certificate (or lack thereof)), and setup a vhost to handle the request (either http redirect/proxy, or even specify DocumentRoot to be a shared automail install on the web server).

    I guess I'm also wondering, how many complaints do people get about the certificate warning for autodiscover?
     
  19. SamTzu

    SamTzu Member

    So far most cert complaints seem to come from iPhone people (for postfix/dovecot Letsencrypt certs.)
     

Share This Page