Let's Encrypt certificate for mail subdomain

Discussion in 'Installation/Configuration' started by profm2, Dec 9, 2020.

  1. profm2

    profm2 New Member

    What is the correct settings to setup a Let's Encrypt certificate for a subdomain?
    Running Ubuntu 20.04 / ISPConfig 3.2.1

    Last night, I followed the tutorial to secure the admin (8080) of ISPConfig. https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ So now server.maindomain.tld has a proper certificate.

    I have setup Let's Encrypt certificates for several domain.tld. I have all of the DNS entries necessary populated, including mail.domain.tld before I setup certificates. However, now, when I setup email for the domains, using mail.domain.tld, email programs (Thunderbird and Android), claims the certificates are not valid. Pulling up the certificate info, it looks like I could use server.maindomain.tld, and that certificate does work correctly.

    However, I prefer not to give out the server.maindomain.tld as the email server. I do have mail.domain.tld setup correctly, and emails work fine with SSL/TLS security exceptions.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    ahrasis likes this.
  3. profm2

    profm2 New Member

    Ok, that makes sense for a single site server.

    I guess I didn't elaborate enough. How would I do:
    mail.domain1.tld
    mail.domain2.tld
    mail.domain3.tld

    Can you have multiple certificates setup for postfix/dovecot?
    ----------

    Interesting ... while searching for info, I ran across this post: https://forums.cyberpanel.net/discu...figure-multiple-domains-and-ssls-with-postfix
    (6th post)

    Original post: http://postfix.1071664.n5.nabble.co...r-TLS-SNI-feature-3-4-x-td100786.html#a101029

    Now I'm wondering if this would work in an automated (ISPConfig enhancement) way.
     
    Last edited: Dec 9, 2020
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is noted in the tutorial: "After this you can add your other hostnames as alias domains, by going to the aliasdomain list and clicking "Add new aliasdomain". Select smtp.example.com as domain, and mail.example.com as parent website. Disable Auto-Subdomain and save the new record. Repeat this for eventual your other hostnames."
    Read this thread aswell: https://www.howtoforge.com/communit...are-host-certificate-with-mail-domains.85681/ and eventually https://www.howtoforge.com/community/threads/email-domain-ssl-certificate.85575/

    TLDR: I advice you to let clients connect to smtp.hostingcompany.com and imap.hostingcompany.com instead of mail.clientdomain.com. This will save you time in the short and long term.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Add multiple -d options to your certbot command. Something like:
    Code:
    fqdn="$(hostname -f)"
    email="root@$(hostname -d)"
    
    certbot auth --text --agree-tos --non-interactive \
            --cert-name "${fqdn}" --allow-subset-of-names --expand --keep-until-expiring --renew-with-new-domains \
            --webroot --webroot-path /usr/local/ispconfig/interface/acme/ \
            --email "${email}" -d "${fqdn}" \
            -d mail.domain1.tld -d mail.domain2.tld -d mail.domain3.tld
    
    Both services support that, but that is not setup by ISPConfig, you would have to set that up entirely yourself.
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I would not use certbot but use a site in ISPConfig instead, so it can't conflict in any way and adding a new alias is easy.
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sorry, nevermind this, I thought you wanted a certificate without your server's fqdn (so requesting one manually for postfix/dovecot could work), you just meant you don't want to give that out as the mail server name to customers. Definitely just add the aliases to your website as @Th0m mentioned.
     
  8. profm2

    profm2 New Member

    Thanks for the answers. I guess I need to train my search-fu better.

    Since the domains are personal and small, I'll just have the handful of people that are affected point to server.maindomain.tld
    Everything is happier that way, even if it doesn't "look" as nice.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I would advice you to use mail. at least, so if you get a new server and migrate, clients don't have to change their settings.
     

Share This Page