SSL support for IMAP and SMTP

Discussion in 'General' started by smokinjo, May 9, 2020.

  1. smokinjo

    smokinjo Member HowtoForge Supporter

    (I placed this by accident in the Linux section of the forums. After Taleman answered, I realised my mistake. I am reposting it here)

    I need to start using secure SMTP and IMAP.

    Does one need to install/activate this for the email server?
    I have been using the SSL certificates for the HTTPS on all my websites. Does this help any?

    Thanks

    Joseph

    (I did consult the example given by Taleman: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ Butis there a way from within the ISPConfig interface to activate SSL for Postfix and Dovecot?)
     
  2. ahrasis

    ahrasis Well-Known Member

    The answer is no. You need to do it via your linux CLI (Command Line Interface). I also have a script (LE4ISPC) that could be use to ease securing your server services but it won't help you since you want your server to have different FQDN for server panel - panel.domain.com and mail server - mail.domain.com; simply because the script is not written to cover more than one hostname FQDN per server.
     
    Last edited: May 21, 2020 at 1:59 AM
  3. smokinjo

    smokinjo Member HowtoForge Supporter

    Thanks for the reply.

    I am not looking to secure ISPConfig, because it is always used via th internal network. ISPCPonfig is not reachable by a domain name.

    I want to be able to secure the email for the different domains that are hosted on our server.

    domain1.com
    domain2.com
    domain3.com
    domain4.com
    Taleman said the same SSL certificate created by ISPConfig is used for the email server.

    Thanks
     
  4. ahrasis

    ahrasis Well-Known Member

  5. Jesse Norell

    Jesse Norell Well-Known Member

    This is true after following that tutorial, a single Let's Encrypt certificate is setup via the vhost, and symlinks are made to the corresponding certificate files in the correct location for postfix/dovecot to work.

    This is sufficient to enable ssl/tls on the server's hostname, which all your clients can use.
    This is relatively easy on small systems (you can have up to 100 names included in a letsencrypt certificate) with the above setup, assuming you want to use something like 'mail.domain1.com' (not actually 'domain1.com') as the servernames, you simply add vhost aliases for the additional names (mail.domain1.com, mail.domain2.com, etc.) to the website with which you requested the Let's Encrypt certificate.

    As an alternative, or if you actually want to use 'domain1.com' as the mail server name for your client, you can request a let's encrypt certificate from the command line, rather than using the user interface. Again you are limited to 100 names in the certificate. Once the certificate has been issued, create symlinks to the certificate files (under /etc/letsencrypte/live/) at /etc/postfix/smtpd.{cert,key}. If you do this, you'll need to either setup something to monitor for certificate changes and restart postfix/dovecot, or simply restart them periodically (eg. nightly, or at least weekly).

    There's more details and examples in https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/ There's a simple "request certificate for domain names found in this file" type script at https://www.howtoforge.com/communit...erts-for-ispconfig-servers.80449/#post-381172

    If you need more than 100 names, there's not a quick/easy solution. You could add another IP address, request another certificate, and configure postfix/dovecot on that ip to use the other certificate file. The proper solution is to setup SNI for both postfix and dovecot, which is 100% custom config, and I don't believe anyone has posted an example for an ISPConfig server yet, but if you want to be the first to post a useful example, I (and most likely others here) would sure help you get it sorted out. There is a feature request for it, but I don't believe it is planned for the near term.
     
  6. Chris_UK

    Chris_UK Member HowtoForge Supporter

    I would advise against going down the route of multiple certs or even listing many domains to a cert. The reason is scalability.

    Instead you could just register a generic domain name and a standalone mail server.

    Doing this will save headaches down the road and its also so much simpler. You dont need to have certs for each domain on the mail server which honestly I can't think how that would work and you don't need to have multiple domains/aliases attached to a cert.

    You then just preconfigure ispc with a template that sets the correct dns records and make sure that any sites created are set to use the generic mail server. You could probably get a free domain some place if your budget is really tight. I know for certain you can get a vps for under £3 GBP capable of handling mail for a few hundred domains as long as they are not too heavy users. I used to have three such VPS for mx1, ns1 and ns2, I didnt have a fallback for mx. Although for £12 a month you could have 4 vps mx1/2 ns1/2
     

Share This Page