Hi all, I am writing a document on the installation of ISPconfig for the registered customers of my web site. The goal is to use ISPconfig as a home server. On a Proxmox-8.2.2 running a Debian-12 LTS virtual machine (debian.toto.org), I installed ISPconfig following the ISPConfig auto-installer (Perfect Server Automated ISPConfig 3 Installation on Debian 11 and Debian 12, Ubuntu 20.04 and Ubuntu 22.04). No reseller stuff, mainly web sites and mail (Fail2ban, etc, OK). My main web site on ISPconfig is toto.org. Everything is working as it should. I can connect to the web site from LOCAL LAN using Firefox and from the internet using TOR. I can connect to webmail from LOCAL LAN using Firefox and from the internet using TOR. I can send/receive mail using Thunderbird from/to anybody from LOCAL LAN and from the internet. A regular Thunderbird user can receive and respond to mail from/to a webmail user of ISPconfig. The only problem I have is to create a new mail user (from ISPconfig) in Thunderbird. When creating the user in Thunderbird, it finds the user giving mail.toto.org and port 465 with SSL/TLS and normal password; imap.toto.org and port 993 with SSL/TLS and normal password. After the creation of the user, Thunderbird cannot connect to ISPconfig to check for mail. I tried all king of modifications for ports and other parameters. The used certificate displayed in Thunderbird is the ISPconfig default one with the DE name at the top of the certificate and does not contain any reference to imap.toto.org. A friend using the exact same setup as mine has no trouble creating an Outlook user. QUESTIONS: What is the best way for the creation of a certificate in ISPconfig that will contain mail, smtp, and imap. How to assign it to the mail of the web site toto.org? I tried adding the Aliases smtp and imap to toto.org domain but the certificate does not contain any references to those. What is the best way to create the certificate for the managing page and the ones for the mail/web sites. Is there a way to use the staging Let's Encrypt server so to not go over the 5/7 limit? Is there documentation for Let's Encrypt and ISPconfig? Michel-André
It is not a bad practice to use the main MX server as host for the domain. If you like to have thunderbird know where/what services are http://www.pscs.co.uk/manual/mozilla-thunderbird-autodiscov.html would be needed. Configureing SNI in Dovecot is probably more difficult. Maybe Outlook does already prefer the MX entry as default host? Regarding the cert, maybe @till can correct me on that for ispconfig https://www.howtoforge.com/perfect-server-debian-12-buster-apache-bind-dovecot-ispconfig-3-2/ Can you verify "/etc/postfix/master.cf" step => Uncomment the submission and submissions sections as follows ? which ports are used? netstat -tulpen ufw status
I should mention, the linked example is for pop3 which, you probably do not want. Though it is an easy and available example to get overwhelmed at first by checking https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat
https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ See Let's Encrypt error FAQ to find out why Let's encrypt refused to add the subdomains to the SSL cert: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Hi ztk.me & Till Thank you both for your posts. What can I do to be able to post a link in a post??? I found an example for IMAP : I CANNOT POST THE LINK HERE... -------------------------------------------------- Code: <clientConfig version="1.1"> <emailProvider id="toto.org"> <domain>toto.org</domain> <displayName>TITRE-Messagerie de toto.org</displayName> <displayShortName>Micronator</displayShortName> <incomingServer type="imap"> <hostname>imap.toto.org</hostname> <port>993</port> <socketType>SSL</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </incomingServer> <outgoingServer type="smtp"> <hostname>mail.toto.org</hostname> <port>465</port> <socketType>STARTTLS</socketType> <authentication>password-cleartext</authentication> <username>%EMAILADDRESS%</username> </outgoingServer> <documentation url="http://email-hilfe.freenet.de/documents/Beitrag/15916/einstellungen-serverdaten-fuer-alle-e-mail-programme"> <descr lang="de">Allgemeine Beschreibung der Einstellungen</descr> <descr lang="en">Generic settings page</descr> </documentation> <documentation url="http://email-hilfe.freenet.de/documents/Beitrag/15808/thunderbird-e-mail-empfang-versand-einrichten-ueber-imap"> <descr lang="de">TB 2.0 IMAP-Einstellungen</descr> <descr lang="en">TB 2.0 IMAP settings</descr> </documentation> </emailProvider> </clientConfig> -------------------------------------------------- On Ubuntu 22.04, kmail see the title: TITRE-Messagerie de toto.org which means the file is reachable and kmail read the file But, kmail is complaining about the certificate. ============================================================= Then, you can redo the SSL cert creation for the system-wide SSL cert at any time using the following command: Code: ispconfig_update.sh --force ------------------------------------- ERROR: Code: [...] Checking ISPConfig database .. mysqlcheck: Got error: 1698: Access denied for user 'root'@'localhost' when trying to connect OK ERROR 1698 (28000): Access denied for user 'root'@'localhost' Unable to call mysql command line with credentials from mysql_clientdb.conf [...] ------------------------------------- The file: /usr/local/ispconfig/server/lib/mysql_clientdb.conf had the original password for superuser root whiich I changed when I installed ISPconfig. I was able to connect to: I CANNOT POST THE LINK HERE... with the new password I changed after installation. I changed for the new password in mysql_clientdb.conf and did another ispconfig_update.sh --force and it worked this time. ------------------------------------- The problem is still there and I am quite sure it is the certificate of the debian.toto.org that is not right. There is my main NethServer connected to the ADSL modem and I configured it to redirect everything it receives from the internet for toto.org to local ISPconfig server on 10.10.10.120. I did request a LE certificate for NethServer in the name of toto.org and attached it to all redirected links. With TOR, that is the certificate it sees when accessing toto.org With Firefox on LOCAL LAN, it receives the real LE certificate from toto.org which is different from the one used by the NethServer. Maybe that is the problem of the certificate with Thunderbird. I will replace the NethServer certificate with the one from toto.org. I will create a drawing of my network and post a link to it. It will be easier to understand. Any suggestions? Michel-André
What steps regarding the web certificate did you do after changing the password in the file and make the cron run properly again? Are there any more errors in the ispconfig logs you can see in the web interface? Have you tried turning it off and on again I mean the SSL/LE checkboxes for the ISPConfig website.
Hi xtk.me, Thank you for your reply. The ispconfig.log files look all empty ??? There is no error in the Let's Encrypt log. It asked only the web certificate not the one for the FQDN. For the check box, I don't want to touch it as I might be near the limit of LE 5/7. If I were able to use the staging LE, it will be another story. I once had Thunderbird running correctly by requesting certs directly with the acme.sh script and ajusting the links of some files. Thunderbird was OK but I was not able to connect to the manager or web site anymore. I thiink I missed to ajust some links somewhere. I wish it would be as easy and complete as with Proxmox VE (the best Let's Encrypt implementation I ever saw). Do you know all the links to ajust for the certificate or how to force sub-domains (smtp, imap) to be included in the cert? I don't want that little Thunderbird problem as a show stopper for my documentation project Michel-André
With ISPConfig, it's fully automated, so it can't be easier. Your problem is not ISPConfig here; it's your network setup and that you want to use a wrong subdomain to access email in Thunderbird. ISPConfig is a control panel for hosting providers in data centers. It is typically run on servers directly connected to a public IP address, and the system hostname must be reachable from the internet on port 80 by Let's Encrypt to verify the SSL cert. As usual, for hosting setups, you use the system hostname for clients to connect to it, and the SSL cert is issued for that hostname by default. See here on how to create an email account in Thunderbird: https://www.howtoforge.com/ispconfig-email-account/ and which name to use for imap and smtp. The link I posted above regarding SSL for email is not used on any standard installation as it's not needed and does not make much sense, but as some users want to use other names in mail connections instead of the hostname e.g. when used at home or in office and not at a hosting provider, then you can use that setup. That's what I posted in #4: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ As mentioned, it is not a recommended setup, but you can do it easily like that. Just do not touch acme.sh manually, if your setup is not broken right after you manually ran acme.sh, it will likely break on next cert renewal. So either use the default SSL cert as recommended, or follow strictly this guide, but in any case, do not manually run acme.sh to certbot to create the certificate. Ok, this must clearly break your system. Not sure if it makes much sense to try to help you from here on, you should just reinstall and do not manually mess with SSL certs, instead use the default cert and the correct name for mail connections, which is the hostname you have chosen before you installed ISPConfig. and take care that your system is reachable from the internet so LE can verify the SSL cert for the hostname.
Depending on your DNS provider, you could spin up a cheap acme-vps for yourself and use acme.sh with dns plugin, have a trigger calling ispconfig api to update ssl certs, set them to manual for this case. that is better than tampering with the ispconfig setup use the domain.tld as name and add a -d *.domain.tld to get a wildcard one Code: ./acme.sh --issue --dns dns_inwx -d abc.com -d *.abc.com --debug you can check acme dns api to see how to provide the username and password via export or use manual/custom dns. If you need something for powerdns, I use this personally Edit: ugh that setup is old... it is actually using certbot ( mine ) did not have the priority to fix that
Just to make it clear, I meant running acme.sh on an isolated cheap server and call the ispconfig api from there to use a manual wildcard cert for a domain. on the long run: check your setup with tor and having the password changed afer setup. Maybe this or the manual tampering might have broke something. Also what @till said
Hi all, Since 2003, I have always used the SME/Koozali/Nethserver server for a complete all-in-one system. Unfortunately since the CentOS adventure, NethServer will be in EOL at the end of June 2024. To replace NethServer, I chose ISPconfig because it is the closest one to NethServer. ISPconfig is the best server for a small and medium business system as well as for a home server. After my adventure trying to create a Thunderbird account for an ISPconfig user and after the wise advices received on this forum, I restarted the complete installation of Debian and ISPconfig following my documentation. Everything worked perfectly. For creating the Thunderbird account, I followed Till's excellent video "How to Add an Email Account in ISPConfig 3.2" and it didn't work. Last night I dreamed about this problem. When I woke up this morning, I realized that a server on a LOCAL network cannot request a Let's Encrypt certificate. This is why the acme.sh script was originally created. This script allows you to use DNS challenges instead of the well-known directory challenges. I have installed dozens and dozens of test servers on local networks. I've always used the acme.sh script and DNS challenges; It has always worked without exception. I don't understand why I didn't realize this fact immediately. Shame on me. This morning, I used the acme.sh script and its DNS challenges to create a test certificate for debian.toto.org and another one for toto.org. I created links for some files to point to these test certificates. I copied the test certificate files from toto.org into the web site toto.org in the ISPconfig manager. Checking access to ISPconfig manager, webmail etc, everything was working and using the test certificates. Without changing anything, I requested production certificates and this time I only copied the toto.org production certificate into the toto.org WEB site in the ISPconfig manager. Everything works and uses production certificates. I was able to create the Thunderbird account and it can receive/send emails everywhere: from/to local users and the Internet. All that remains is to automate the renewal of certificates and ISPconfig will work perfectly. I took a good look at Till's article "How to run commands on File or Directory changes with Incron on Ubuntu 16.04" and adapting it should solve the problem. I will open a new post for this procedure. Thank you all, Michel-André
