Hi, I have my server server.mydomain.com that has a ssl cert/key in use for the ispconfig web, and it's also being used for the email on the same server. (Postfix/Dovecot) Is it possable to also have ssl cert's/keys for client domains, so that mail.clientdomain.com has the matching ssl cert for that domain? Can both certs/keys be placed into the same files and the clients email program will then see the cert for the clients domain? Stephen
Dovecot does support individual certs though. Since you probably ask regarding your customers then adding individual certs to dovecot would make their errors go away: https://community.letsencrypt.org/t/simple-guide-using-lets-encrypt-ssl-certs-with-dovecot/2921
Dovecot does not accepted mails. This is done by your mta (postfix). Why use SNI for inap/pop3 if this won´t work with smtp? Beside this: smtp is not http - smtps is not https
well, between mailservers it doesn't matter. However when a client wants to check his email or send an email he usually gets an warning because of the certs. You can avoid that by using the LE certs in dovecot as well.
well, dovecot or courier or some other program. Postfix is just a MTA while dovecot provides IMAP/POP3 capabilities. I think I'll check. I'll make a test account and manually add a LE-SSL config for one of my domains.
so... and imap and po3 are used the send mail? btw: you mya can use nginx as a reverse-proxy to provide SNI for postfix.
if you use thunderbird or outlook, then they will send the email to dovecot. Dovecot hands it over to Postfix. Postfix will contact remote MTA. So thunderbird/outlook speak to dovecot and not to postfix.
No MUA will send mails to dovecot or courier. When you send a mail your MUA connects directly to postfix.
That is almost always true, though there are some proprietary implementations that do support sending over imap; courier happens to be one of them: http://www.courier-mta.org/imap/INSTALL.html#imapsend Postfix supports DANE, but I have no idea how many (if any) MUA clients do. With the keys for the server's certificate advertised in each domains' DNS, a client could know that it got the right certificate from the server and not complain; though I don't know if that would actually happen, as the common name still wouldn't match. It looks like stunnel and haproxy both support SNI and you could probably wrap port 587 with either, but again I wonder how many MUA clients are going to send the SNI TLS extension. Maybe some will, I really have no idea, but if they don't then there's no point in having the server support it (yet).
So we can't combine the cert's from two different domains into the one file for use by postfix/dovecot? ie: /usr/local/ispconfig/interface/ssl/insconfig.crt -----BEGIN CERTIFICATE----- MIIEJTCCAw2gAwIBAgIDAjp3MA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i [...] gP8L8mJMcCaY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 [...] b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE-----
As above, *postfix* does not support SNI; dovecot does. And no, you can't combine cert's from two domains into the same file like that. dovecot does support SNI, but that's not how it's configured, each cert is in a separate file. See the SNI example at http://wiki.dovecot.org/SSL/DovecotConfiguration
