Hi, last week i have to reinstall my server. since then in have problems with my letsencrypt and the mailserver. the iscponfig is install like this. https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ after this was fine i restore my backups i go here. https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ my domain is pointing via a record to my server ip. and i have set a mx record. mail.domain.com so i walked through the guide and create new website (with no customer?!) and set the alias domains. mail.domain.com as alias i set smtp.domain.com, imap.domain.com and pop3.domain.com then i go zu sslshopper and check. mail.domain.com i got back Code: Common name: domain1.de SANs: domain1.de, mail.domain.com, smtp.domain.com, www.domain1.de, www.xn--domain1-cua.de, xn--domain1-cua.de domain1 is another customer i create. im confused. then i check imap Code: Common name: imap.domain.com SANs: imap.domain.com then i check pop3 Code: pop3.domain.com does not resolve to an IP address. Please make sure your DNS records are set up correctly. i dont know what i have made wrong or how i can fix it. is it possible that i get all certificates deleted and created from scratch? then I read in the howto securing-your-ispconfig-3-managed-mailserver-with-a-valid-lets-encrypt-certificate there is a underpoint "Replacing the certificate with the Let's Encrypt certificate" in my folders are no fullchain.cer is the howto outdatet? I hope someone can help me!
If you installed with ISPConfig auto install, it creates certificate for the server and uses that certificate for services like e-mail. Did you have a reason to use https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ ? Even if you need to use the "Securing your ispconfig ..." howto, you should before that follow the Let's Encrypt FAQ to verify the requirements for LE are met and fix whatever it is that prevents LE issuing certificate. The error Code: pop3.domain.com does not resolve to an IP address. Please make sure your DNS records are set up correctly. means DNS Name service can not resolve that address. LE can not issue certificate if DNS is missing info or does not point to the correct server. My Signature has link to DNS setup, it has info on how to troubleshoot DNS problems.
hi, thanks for your feedback. the server has a hostname from the hoster. like 123456.hoster.net. thats fine for the ispconfig panel but not for my mails. that was the reason why i use the howto. in my old installation i also use imap.doman.com and so on. you are right. the pop3 "subdomain" was not configuert by the hoster. i have done this. okay one problem less it looks like the checkbox now stays active. the log looks good too. but when i check i dont unterstand whats happen Code: imap.domain.com Common name: imap.domain.com SANs: imap.domain.com Valid from August 19, 2022 to November 17, 2022 smtp.domain.com Common name: mail.domain.com SANs: imap.domain.com, mail.domain.com, pop3.domain.com, smtp.domain.com Valid from August 22, 2022 to November 20, 2022 pop3.domain.com Common name: mail.domain.com SANs: imap.domain.com, mail.domain.com, pop3.domain.com, smtp.domain.com Valid from August 22, 2022 to November 20, 2022 mail.domain.com Common name: domain1.de SANs: domain1.de, mail.domain.com, smtp.domain.com, www.domain1.de, www.xn--domain1-cua.de, xn--domain1-cua.de Valid from August 19, 2022 to November 17, 2022
sorry this is all a bit confusing. also because I've been stuck on it for a few days and can't get any further. i go to https://www.sslshopper.com/ssl-checker.html and check my 4 (sub)domains. and they all give me different results. for SANs and common names. but I would expect this: Common name: mail.domain.com SANS: imap.domain.com, pop3.domain.com, smtp.domain.com or do i unterstand something wrong? i also see another problem in my maillog. Code: (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused) (delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10026: Connection refused) root@123456:/etc/postfix # iptables -L -n | grep 10024 root@123456:/etc/postfix # netstat -tap | grep 10024 root@123456:/etc/postfix # iptables -L -n | grep 10026 root@123456:/etc/postfix # netstat -tap | grep 10026 if i see it right i use rspamd Code: root@123456:/etc/postfix # systemctl status rspamd.service ● rspamd.service - rapid spam filtering system Loaded: loaded (/lib/systemd/system/rspamd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2022-08-22 12:34:55 CEST; 13min ago Docs: https://rspamd.com/doc/ Main PID: 1395404 (rspamd) Tasks: 8 (limit: 154429) Memory: 151.9M CPU: 899ms CGroup: /system.slice/rspamd.service ├─1395404 rspamd: main process ├─1395405 rspamd: rspamd_proxy process (localhost:11332) ├─1395406 rspamd: controller process (localhost:11334) ├─1395407 rspamd: normal process (localhost:11333) ├─1395408 rspamd: normal process (localhost:11333) ├─1395409 rspamd: normal process (localhost:11333) ├─1395410 rspamd: normal process (localhost:11333) └─1395411 rspamd: hs_helper process Aug 22 12:34:55 123456.hoster.net systemd[1]: Started rapid spam filtering system. Aug 22 12:34:55 123456.hoster.net rspamd[1395404]: 2022-08-22 12:34:55 #1395404(main) <31e7eb>; main; main: rspamd 3.2 is loading configuration, build id: release Code: root@123456:/etc/postfix # fgrep -Ri -e "10024" -e "10026" * main.cf:content_filter = lmtp:[127.0.0.1]:10024 main.cf~:content_filter = lmtp:[127.0.0.1]:10024 main.cf~3:content_filter = lmtp:[127.0.0.1]:10024 tag_as_foreign.re:/^/ FILTER lmtp:[127.0.0.1]:10024 tag_as_foreign.re~:/^/ FILTER lmtp:[127.0.0.1]:10024 tag_as_originating.re:/^/ FILTER lmtp:[127.0.0.1]:10026 tag_as_originating.re~:/^/ FILTER lmtp:[127.0.0.1]:10026 i don't have change the config manually. i used the autoinstall script (wget -O - https://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --unattended-upgrades=autoclean --lang=de)
I'm not sure but it is amavis that uses ports 10024 and 10026. So if you you rspamd maybe something is wrong? Is some service not running? See with Code: systemctl --state=failed
Code: systemctl --state=failed UNIT LOAD ACTIVE SUB DESCRIPTION ● console-setup.service loaded failed failed Set console font and keymap LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. okay thats my fault! Code: ]In ISPConfig navigate to System > Server Config > Mail. There change the value of the field Content Filter from Amavisd to Rspamd. because i have restore my old config! and in the old installation i use Amavisd. okay but the mailq still says "(delivery temporarily suspended: connect to 127.0.0.1[127.0.0.1]:10024: Connection refused)". i tried "postqueue -f" but seems nothing happend. okay in the time i wrote this i try "postsuper -r ALL && postqueue -f" and this will send my mails. i can send and receive mails. but with cert error. okay...now back to my cert Problem.
okay...my cert problem seems to be resolved?! i checkt the certificate on other sites and there it is "right". Code: Common names mail.domain.com Alternative names imap.domain.com mail.domain.com pop3.domain.com smtp.domain.com also something happend... Code: root@123456:~/.acme.sh # ll mail.domain.com/ total 24K drwxr-xr-x 2 root root 4.0K Aug 22 08:24 . drwx------ 7 root root 4.0K Aug 22 08:30 .. -rw-r--r-- 1 root root 380 Aug 22 08:24 mail.domain.com.conf -rw-r--r-- 1 root root 1.8K Aug 22 08:24 mail.domain.com.csr -rw-r--r-- 1 root root 242 Aug 22 08:24 mail.domain.com.csr.conf -rw------- 1 root root 3.2K Aug 22 08:24 mail.domain.com.key now it looks Code: root@123456:~/.acme.sh/mail.domain.com # ll total 44K drwxr-xr-x 3 root root 4.0K Aug 22 11:08 . drwx------ 7 root root 4.0K Aug 22 08:30 .. drwxr-xr-x 2 root root 4.0K Aug 22 11:08 backup -rw-r--r-- 1 root root 3.7K Aug 22 11:08 ca.cer -rw-r--r-- 1 root root 6.0K Aug 22 11:08 fullchain.cer -rw-r--r-- 1 root root 2.3K Aug 22 11:08 mail.domain.com.cer -rw-r--r-- 1 root root 1.1K Aug 22 11:08 mail.domain.com.conf -rw-r--r-- 1 root root 1.8K Aug 22 11:08 mail.domain.com.csr -rw-r--r-- 1 root root 242 Aug 22 11:08 mail.domain.com.csr.conf -rw------- 1 root root 3.2K Aug 22 11:08 mail.domain.com.key what i now done is Code: root@123456:/etc/postfix # ln -fs /root/.acme.sh/mail.domain.com/fullchain.cer smtpd.cert root@123456:/etc/postfix # ln -fs /root/.acme.sh/mail.domain.com/mail.domain.com.key smtpd.key root@123456:/etc/postfix # systemctl restart postfix && systemctl restart dovecot and since this my k9 and my thunderbird dont show any cert error.
