Automated Lets encrypt certificate generation for mail server in multi server setup

Discussion in 'Tips/Tricks/Mods' started by [email protected], Jun 24, 2025.

  1. stefan@martolvan.is

    [email protected] Member

    Hi
    I can not connect to hosted domains using TLS/SSL on IMAP or SMTP on hosted domains and seem to get some ambigous certificate errors that I lean to blame on wrong certificates i only have host certificate created by ispconfig install/upgrade script, that does not do the job apparently.

    I found this thread here https://forum.howtoforge.com/thread...rypt-certificates-via-cron-script-auto.86878/ on how to script auto certificate generation for mail domains, I how ever see in the script that it uses /var/www/*/ssl/ to find domains needing certificate. These are not on my mail server so I need alternative way of finding hosted mail domains, maybe through db query that would create mail domain list and pass on to acme to create or ignore if already existing cert in acme.
    I'm not sure what would be sensible way to go about this with out breaking ISPconfig system (I'd rather not).
    So I would appreciate advice in how to go about this, and have following proposal:
    Use the script above with few changes, do an db query for email domains and have acme create certificate for mail.maildomain.foo if this host certificate exists acme will just fail on creating that certificate and keep on going until all mail domains have certificates and answer using TLS/SSL.
     
    [email protected], Jun 24, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Are you sure you used the correct mail server name in your email client? You must use the server hostname for SMTP and IMAP in the email client and not a subdomain of a hosted mail domain.

    Using the subdomains of client domains does not scale well. Even as a small hoster, you have easily thousands of domains, and letting Postfix load a few thousand SSL certs is not that great, that's why separate certs are mostly used in small home setups or when you just have a few corporate domains and not a hosting company. So, unless you want to be limited to just a few client domains in the future, you should better use the default way ISPConfig has set up your system, which is to use a central SSL cert with just your email server hostname in it.
     
    till, Jun 24, 2025
    #2
  3. stefan@martolvan.is

    [email protected] Member

    Hi
    I did use the name that was generated in the DNS template that came with ISPconfig, that generates mail.clientdomain.is, as stupid it is not changing that. Using the real hostname of the server does not generate error sending with TLS but not delivering either. I have the feeling that I might need to change the host name to the one that is reverse DNS solvable. I will try that and see after regenerating Certificates if it works better.
    Now I'm using litlagra2.mydomain.is but should probably be using mail.mydomain.is that is reverse solvable in ISP DNS.
     
    [email protected], Jun 26, 2025
    #3

Share This Page