questions about secure email

Discussion in 'Server Operation' started by Ovidiu, Jan 27, 2012.

  1. Ovidiu

    Ovidiu Active Member

    I run a web and mail server for a few domains. running with ispcfg3 and according to the perfect debian server howto.
    some of the users of a particular domain are using outlook and no matter what I do they are asked about accepting my self-signed certificate. I tried many solutions to import it into their computers but all fail. they are still being asked about accepting the certificate every time they open outlook again.

    I have now decided to get a proper certificate but am not sure where to start.

    1. any affordable certificate providers you can recommend?
    2. will I need only 1 certificate for the server or does every domain need their own?
    3. if I need only one, will there be problems since every customer accesses their mail via i.e. mail.domain1.com others via mail.anotherdomain.com, etc?

    sorry for these basic questions but I didn't find any good starting point via google to read up on this matter (any links are welcome)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. erosbk

    erosbk New Member

    Till, Falko, this is a great howto!!! very very very usefull!

    I have an ISPConfig multiserver environment, is it possible to create a certificate for a mail server (postfix, courier) and with it give access to every vdomain that access the server using its own url??

    for example, people can access mail server thgouth imap/pop3/smtp.virtualdomain.com.ar

    I think I should generate a certificate for the server mail1.myenterprisedomain.com.ar but I don't know if the certificate could work this way!

    Thanks
     
  4. falko

    falko Super Moderator ISPConfig Developer

    This works only if you get a multi-domain certificate. And each time you want to add a domain you must buy a new cert. So it's better to tell your customers to use a specific hostname for mail or to abandon TLS (or live with certificate warnings).
     
  5. Ovidiu

    Ovidiu Active Member

    @Falko:

    I finished reading that tutorial and was just about to ask the same question:

    Do you really need to buy a new certificate every time you want to add a new domain to the multi-domain certificate?
    I am asking because they actually make you pay for the verification process, the certificates are free but you need to verify your identity for the multi domain certs.

    I'll ask them too if it would be possible to ask for a new free certificate every time I add a domain to my hosting portfolio or not.
    If needed I'll get a certificate for my hxxxxx.stratoserver.net and have them all use that for accessing their emails.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    If you use StartSSL, I think you are right - you pay for verification once, and then you can get as many certs as you need for free within 350 days. But other CAs will make you pay for each new cert.
     
  7. Ovidiu

    Ovidiu Active Member

    just double checking:

    this field: Common Name (eg, YOUR name) []: <-- example.com

    needs to be filled with i.e. h187xxxx.stratoserver.net right?
     
  8. Ovidiu

    Ovidiu Active Member

    I have hit another bigger problem:

    to get my certificate from startssl.com I need to verify ownership of the domains I want to get a certificate for but unfortunately most root server providers assign you a default name within their domain, mine is i.e. hxxxxxxx.stratoserver.net and startssl.com only offers validation for domains, not sub domains.
    They say you could get a certain paper signed by the domain owner and then come back but that would be quite a difficult process and I am not sure if Strato will comply.

    What other slutions are there? i.e. getting a spare domain just for "naming" my server? woudl that do? But I guess then I need to change not only the hostname but a lot of other services's configuration, right?
     
  9. falko

    falko Super Moderator ISPConfig Developer

    Right.

    Use one of your own domains for your hostnames and services. You are right, you will have to reconfigure some services, e.g. your server's hostname, Postfix, etc.
     
  10. Ovidiu

    Ovidiu Active Member

    I have a huge problem right now:

    I simply ignored h1870666.stratoserver.net my hostname given by strato and created a certificate for all other domains I am using, since I thought I wouldn't use h1870666.stratoserver.net.

    I followed the startssl tutorial linked above by Till and now postfix keeps complaining the whole time.
    I foudn the comment on that tutorial: http://www.howtoforge.com/securing-...sl-certificate-from-startssl-p2#comment-31033 but even with that correction postfix keeps complaining:

    Is this easily fixable? is it because I simply ignored the existence of h1870666.stratoserver.net?
    the point is that everyone using mail and TLS is using mail.theirdomain.tld to retrieve so I assumed h187066.... wouldn't need a certificate itself.

    any hints? quickest way to restore everything?

    If its a bigger problem, I'd pay to get it solved.
     
  11. Ovidiu

    Ovidiu Active Member

    I seem to have fixed it. postfix was complaining about

    Jan 31 15:52:48 h1870666 postfix/smtpd[5738]: warning: TLS library problem: 5738:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('/etc/postfix/smtpd.cert','r'):

    seems the smtpd.cert went missing, I mean it was a symlink but the target was missing. I pasted my certificate from startssl into it and that seemed to have solved it.

    Also redid the steps of the tutorial that involved the ispserver.crt

    Sorry for the ticket and solving it myself in a few minutes but I panicked.
     

Share This Page