SSL Certificate for Emails

Discussion in 'ISPConfig 3 Priority Support' started by BobGeorge, Sep 4, 2017.

  1. BobGeorge

    BobGeorge Member HowtoForge Supporter

    I've got an SSL certificate + CA certificate that I want to install for our email servers, to replace the self-signed one that I created when installing ISPConfig, so that folks picking up their emails don't have to keep adding it as a security exception.

    I've got the certificate files from the CA and went into "/etc/postfix" but I'm not sure where they should be installed. There is a "smtpd.cert" and "smtpd.key" file there - which looks like what I need to replace, at least for the SMTP side of things - but I don't see any CA certificate to go with those and, well, I thought I'd just ask here rather than just start arbitrarily replacing files on the strength of a guess.

    Plus, if I am using a CA certificate with my SSL certificate and key, then there's probably a config option somewhere to specify this.

    (I did try googling this, but either the information is out of date or things are slightly different when using MySQL to drive the emails, as it talks about an "ssl" directory that simply isn't there.)
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

  3. BobGeorge

    BobGeorge Member HowtoForge Supporter

    Thanks. That works, except for one little detail.

    I obtained the certificate for "domain.tld" (and it also covers "www.domain.tld"), but it doesn't cover "mail.domain.tld", as it's not a wildcard certificate.

    This means that you need "domain.tld" and not "mail.domain.tld" in the email settings for it to be happy with the certificate.

    But the autoconfiguration with Thunderbird is bringing up "mail.domain.tld".

    And also the autoconfiguration strips the domain name from usernames - so it's just "bob" instead of "[email protected]" and the domain name is required to differentiate email accounts when we have many domains (e.g. every domain ought to have "[email protected]" so the domain must be there to differentiate all the postmaster accounts from one another).

    So is there a way to control this autoconfiguration process and make sure that it reports the correct settings to email clients like Thunderbird (or Apple Mail or whatever), as I'd like to make this all a "just works" experience for clients, as far as I'm able.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You should be able to find details on how to configure auto configuration for your mail client by using Google, the process is different for each client and might require quite a bit of additional server configuration on your dns and / or web servers to provide the information in the format that each client requires.

    e.g.:

    https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration
    https://technet.microsoft.com/en-us/library/cc511507(v=office.14).aspx
    https://github.com/Tiliq/autodiscover.xml
     
  5. BobGeorge

    BobGeorge Member HowtoForge Supporter

    Okay, thanks. I have some reading to do.

    (I guess it's too much to ask of these companies to expect them to simply adhere to a single shared standard for something so common and useful. Sigh.)
     
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

  7. sjau

    sjau Local Meanie Moderator

    also, starting from next year, Let's Encrypt will offer free wildcard certs.
     

Share This Page