Hello, I have bumped to the following how to Securing your ISPConfig 3 managed mailserver with a valid Let's Encrypt SSL certificate but I think that applies to just one mail server name I need to configure separate mail server names with ssl in order to avoid reconfiguring all clients pcs. e.g. mail.domain1.com mail.domain2.com mail.domain3.com Thank you
You can use that guide for this purpose, you just have to add the additional subdomains as sub - or alias domains to the website that is used to create the SSL cert. But be aware that Let's encrypt has a limit of 100 domains per cert, so if you have more than 100 clients, it will not work.
Thank you, I do not have subdomains but I have different domains. My server is cp2.mycompany.com and all other are mail.domain1.com mail.domain2.com.
Which is perfectly fine and I explained you already how to do that in my post above. and as you don't seem to know what the difference between a domain and subdomain is. Eaxmple: domain: mycompany.com subdomain: cp2.mycompany.com so you do not have domains, you have subdomains that you like to add, and I explained above how to deal with that. And when you want to add a subdomain from a different domain to a website, use an alias domain, as mentioned in post #2.
Thank you for your reply I have followed the mentioned "how to " and configured the mail server to use the cp2.mycompany.com ssl I have checked it and worked as it should. I have added 2 domains domain1.com , domain2.com and added 2 subdomains mail.domain1.com, mail.domain2.com both mail... subdomains resolves and both have ssl configured and checked with "SSL Checker" but when I try to configure my mail client I get a message that ssl is not valid. Actually the server uses the ssl of cp2.mycompany.com and not the ssl of mail.domain1.com I also tried to enter the mail.domain1.com as an alias to the cp2.mycompany.com. But again I get the same message.
I am not sure if it is Apple Mail's specific error. The certificates name remains cp2.mycompany.com although as alias contains mail.domain1.com Safari is able to resolve without any warnings at https://mail.domain1.com but Apple Mail has issues and it is not possible to proceed. The warning is cp2.mycompany.com certificate name does not match input. I guess that Apple Mail expects a mail.domain1.com name on the certificate Unfortunately it is not Apple Mail specific. Thunderbird also issues a warning when trying to send. You are about to override how Thunderbird identifies this site.
Multidomain certs always have a single 'master' name and aliases, which should be fine for any mail client. I don't use Apple mail but I'm quite sure Thunderbird has no issues with that. Maybe the mail clients have cached the old cert somehow? Or just smtp (postfix) or imap (dovecot) responds with the correct cert but not both? Or its an issue with the SSL chain certs.
Thank you for your reply Till, every time I get the warning I click on view to check which ssl is served. It is always the correct multidomain ssl from letsencrypt, cp2.mycompany.com. I can tell it from the expiration date. I have double checked it and cleared any saved ssls in Thunderbird and Safari. As for the Apple Mail there is no direct option to save one. Safari, firefox... seems to have no issue when pointing to mail.domain1.com although the ssl's name is still cp2.mycompany.com Both Apple Mail and Thunderibrd (MAC version) Display almost the same message "That the ssl identify itself with wrong name". When I move these domains to other servers (not ISPConfig) and create new ssls the mail clients have no issues. I have searched it and test it in every way I could with ssl testers. Do any other Apple user have such an issue? Since this is a test server for me, do you think if I recreate it, the problems will disappear.
Which MacOS version do you use? Older versions tend to have issues with Let's Encrypt certs. And please post the content of the postfix /etc/postfix/main.cf file and the /etc/dovecot/dovecot.conf file. No, I don't think there is an issue with the general server setup, it's just an issue with the SSL cert.
postfix Code: # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on # fresh installs. compatibility_level = 3.6 # TLS parameters smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_security_level = may smtp_tls_CApath=/etc/ssl/certs smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination myhostname = cp1.mycompany.com alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases myorigin = /etc/mailname mydestination = cp1.mycompany.com, localhost, localhost.localdomain relayhost = "/etc/postfix/main.cf" 114L, 6792B 1,1 Top # See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname # appending .domain is the MUA's job. #delay_warning_time = 4h readme_directory = /usr/share/doc/postfix # See http://www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on # fresh installs. # TLS parameters smtp_tls_CApath=/etc/ssl/certs inet_protocols = all html_directory = /usr/share/doc/postfix/html virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_mailbox_base = /var/vmail virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_restriction_classes = greylisting greylisting = check_policy_service inet:127.0.0.1:10023 smtpd_reject_unlisted_sender = no virtual_transport = lmtp:unix:private/dovecot-lmtp header_checks = regexp:/etc/postfix/header_checks mime_header_checks = regexp:/etc/postfix/mime_header_checks nested_header_checks = regexp:/etc/postfix/nested_header_checks body_checks = regexp:/etc/postfix/body_checks owner_request_special = no smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_exclude_ciphers = RC4, aNULL smtp_tls_exclude_ciphers = RC4, aNULL smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA tls_preempt_cipherlist = yes address_verify_negative_refresh_time = 60s enable_original_recipient = no sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd smtp_sender_dependent_authentication = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous, noplaintext smtp_sasl_tls_security_options = noanonymous authorized_flush_users = authorized_mailq_users = nagios, icinga smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS address_verify_sender_ttl = 15686s smtp_dns_support_level = dnssec dovecot_destination_recipient_limit = 1 smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_milters = inet:localhost:11332 non_smtpd_milters = inet:localhost:11332 milter_protocol = 6 milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen} milter_default_action = accept message_size_limit = 0 dovecot Code: # Do not change this file, as changes will be overwritten by any ISPConfig update. # Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master. # To start using those changes, do a force upgrade and let it reconfigure your services. (ispconfig_update.sh --force) listen = *,[::] protocols = imap pop3 lmtp sieve auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail postmaster_address = [email protected] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_dh = </etc/dovecot/dh.pem ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_prefer_server_ciphers = no mail_max_userip_connections = 100 mail_plugins = quota passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage # no longer needed, as 'sieve' is in userdb extra fields: sieve=/var/vmail/%d/%n/.sieve sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve sieve_after=/var/vmail/%d/%n/.ispconfig.sieve sieve_max_script_size = 2M sieve_max_actions = 100 "/etc/dovecot/dovecot.conf" [noeol] 115L, 2952B 1,1 Top # Do not change this file, as changes will be overwritten by any ISPConfig update. # Put your custom settings in /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master. listen = *,[::] protocols = imap pop3 lmtp sieve auth_mechanisms = plain login disable_plaintext_auth = no log_timestamp = "%Y-%m-%d %H:%M:%S " mail_privileged_group = vmail postmaster_address = [email protected] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ssl_dh = </etc/dovecot/dh.pem ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = no mail_max_userip_connections = 100 mail_plugins = quota passdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } userdb { driver = prefetch } userdb { args = /etc/dovecot/dovecot-sql.conf driver = sql } plugin { quota = dict:user::file:/var/vmail/%d/%n/.quotausage # no longer needed, as 'sieve' is in userdb extra fields: sieve=/var/vmail/%d/%n/.sieve sieve_before=/var/vmail/%d/%n/.ispconfig-before.sieve sieve_after=/var/vmail/%d/%n/.ispconfig.sieve sieve_max_script_size = 2M sieve_max_actions = 100 sieve_max_redirects = 25 } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } unix_listener auth-userdb { group = vmail mode = 0600 user = vmail } user = root } service lmtp { unix_listener /var/spool/postfix/private/dovecot-lmtp { group = postfix mode = 0600 user = postfix } } lmtp_rcpt_check_quota = yes service imap-login { client_limit = 1000 process_limit = 512 } protocol imap { mail_plugins = $mail_plugins quota imap_quota auth_verbose = yes } protocol pop3 { pop3_uidl_format = %08Xu%08Xv mail_plugins = $mail_plugins quota auth_verbose = yes } protocol lda { postmaster_address = [email protected] mail_plugins = $mail_plugins sieve quota } protocol lmtp { postmaster_address = [email protected] mail_plugins = $mail_plugins quota sieve } service stats { unix_listener stats-reader { user = vmail group = vmail mode = 0660 } #2.3+ unix_listener stats-writer { user = vmail group = vmail mode = 0660 } } service quota-status { executable = quota-status -p postfix unix_listener /var/spool/postfix/private/quota-status { group = postfix mode = 0660 user = postfix } client_limit = 1 } plugin { quota_status_success = DUNNO quota_status_nouser = DUNNO quota_status_overquota = "552 5.2.2 Mailbox is full" } !include_try conf.d/99-ispconfig-custom-config.conf
I have edited your reply and added code tags to make it more readable. Please do that in the future. Which version of macOS are you on?
The config looks fine so far, please post the output of: ls -la /etc/postfix/smtpd.cert This should be a symlink pointing to the SSL cert in /usr/local/ispconfig/interface/ssl/ folder. Look into the cert file where /etc/postfix/smtpd.cert pints to, does it contain just the SSL cert or does it also contain the chain certificates (multiple SSL certs sections in the same file)?
It shall not point to that directory, but if it does, we'll know why it does not work: the symlink is not correct. See the symlinking steps in https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
Ok, yes. What I said is how it works on a standard ISPConfig setup. I was not aware that you changed it in your guide.
I did, the reason for that is that you might want to use a separate certificate for your mailserver and for the panel.
root@cp1:~# ls -la /etc/postfix/smtpd.cert lrwxrwxrwx 1 root root 48 Feb 25 15:29 /etc/postfix/smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt