Two problems: 1. IMAP/POP3 port security? 2. IMAP/POP3 certificate mismatch? **ISPconfig 3.1, nginx, postfix, dovecot, roundcube. **Perfect server guide. Debian 10. Mails send/receive successfully for all domains.
It says certificate does not match hostname. There is link to Tutorial on e-mail setup in my signature, follow that.
I looked through the email setup in your signature, and couldn't find what Im looking for. The emails are sending correctly, and the url for the mail client is HTTPS (even though ive never touched the mail tab in ISPCONFIG > System > Interface). Its just the PORT numbers (secondwebsite.xyz: portnum) are using a different certificate than the website itself (secondwebsite.xyz)? They are using the cert for the mail.firstwebsite.xyz instead of secondwebsite.xyz (as shown in the picture). (since mail.firstwebsite.xyz is where i log into all mail boxes for all websites) Could you offer any advice here?
ISPC only handles certificates for web (port 80 and 443). The certificates for mail and other services have to be done manually (although, you can just link them to your web certificates) This is the guide you want to follow: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ Make sure, that your mailname matches your hostname, your MX settings and the certificate domain
Steini, the guide you linked was the one I remember following when setting up back in the day, word for word. They are all linked to mail.websitename.xyz, including ispconfig login, and roundcube login, dovecot and postifx. They all use one cert, with different certs generated via ispconfig panel for additional websites. When running a rating test through immuniweb, it showed the pic I linked (that the https port works very well, but not imap/pops. Any suggestions?
Use a dedicated mail tester like https://mecsa.jrc.ec.europa.eu/ and show the results. Sometimes these tests are stupid. On this website you can click on the used certificate and see which one was used. As long as the certificate is valid for your MX, everything is fine. Your mailserver does not need individual certificates for all domains. (As long as you tell your users to connect to mail.website.com to send/receive mails and not theirindividualdomain.com)
Well, the test site gave me a high rating (startTLS, spf, dmarc, mta-sts), but I still dont understand why some websites testing ssl give different results. This one says DKIM not registered, others say it is. I know the email server is running top notch, but I dont understand how to enable matching certs over different ports, other than 443 HTTPS which ISPC does well.
P.S. Never set up BIND. Using Digitalocean for hosting and adding records. Not even sure this if is a good practice...
Let's start over... to clear this all up in one go... FQDN: mail.firstwebsite.xyz First website: FIRSTwebsite.xyz, using cert FIRSTwebsite.xyz (HTTPS; gen via ISPC) Roundcube: mail.FIRSTwebsite.xyz:8081, using cert mail.FIRSTwebsite.xyz (HTTPS) ISPconfig: mail.FIRSTwebsite.xyz:8080, using cert mail.FIRSTwebsite.xyz (HTTPS) Dovecot & Postfix: using cert mail.FIRSTwebsite.xyz Second website: SECONDwebsite.xyz, using cert SECONDwebsite.xyz (HTTPS; gen via ISPC) Second website: MX record pointing to mail.FIRSTwebsite.xyz (on digitalocean) -------------------- Here is the thing: SECONDwebsite.xyz:443 HTTPS works perfectly. BUT. apparently SECONDwebsite.xyz:143 IMAP cert points to mail.FIRSTwebsite.xyz. and so does the SECONDwebsite.xyz:110 POP3 cert. and so does FIRSTwebsite.xyz:110/143 certs. Is this fixable somehow? Is this already the best practice? HTF dads, save me! @till @ahrasis @Taleman @Steini86
Your IMAP and POP server uses certificate for mail.FIRSTwebsite.xyz. Thus when you connect to mail server and write as hostname mail.SECONDwebsite.xyz the certificate does not match. What is usually done is to tell all users to use mail.FIRSTwebsite.xyz when connecting to mail server. Then the certificate matches.
You could do this with SNI. Both Postfix and Dovecot support this in their most recent versions. However, ISPC does not support this (yet?), so you would have to do this by yourself. While in principle it is possible, there is no reason to do it. It is completely common to use a dedicated domain for all mail related. Another option is to use a certificate which is valid for all your domains. You could do this for example with a LE cert and DNS challenge. Again, I do not think it is necessary. Has almost no real world application, only gives you a point in this specific test.
