I am using ispconfig with LE on centos 7 we have 50+ domain hosted on server. My users always face issues on iOS while configuring their emails. can someone help me to resolve issues related to SSL/STARTTLS? Any link to step by step guide will be of great help.
issue is if I check ssl of florix.net or www.florix.net it shows perfect certificate. but if I check mail.florix.net, it should default invalid certificate created by ispconfig. in DNS, all subdomains point to same IP address
www.florix.net and mail.florix.net are two separate hostnames. If they both need to be included in the same certificate, make one alias to the other and check ISPCOnfig setting so it is included in the same certificate. On the other hand, if the hostname is mail.florix.net, ISPConfig automatically gets LE certificate for it, and that certificate can be used in postfix and dovecot. Run ispconfig_update.sh --force and choose to get new certificate. One way is to create website mail.florix.net and let ISPConfig create LE certificate. There is an outdated tutorial, not to be used with ISPConfig 3.2: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
sounds like you're setting the dns to be mail.<clientdomainname.tld> for each of your domains. it can be done this way (postfix SNI) but not currently directly in ispconfig. your better option right now would be to set the mx records for all those domains to mail.<yourmaindomainname.tld> so everyone uses the same mailserver hostname. with the release of ubuntu 22.04 pure-ftpd should now include the pure-certd binary, allowing pure-ftpd to do SNI now, not sure if debian 11 includes this yet, but that may give more incentive/inclination to put full SNI support for services other than apache into ispconfig going forward.
this is good idea to create mail.florix.net .. but I have more than 20/25 domains on this server. My issue is if mail.domain.com and www.domain.com points to same IP and www.domain.com is showing proper LE cerficiate, then why mail.domain.com shows default certificate created by ispconfig?
It is not recommended to use subdomains of a virtual mail domain (customer domain) to connect to your POP3 or IMAP server as this does not scale well. A Let's encrypt SSL cert can contain max. 100 domains incl. subdomains, so if you would e.g. assign each customer domain a pop3, imap and smtp subdomain, then your mail server is capable of hosting max 33 customers overall and you would have to change the cert for all customers each time one customer changes it's domain or you get a new customer. So if you plan to have a larger setup with more customers, do it like most larger hosters are handling this by telling your customers to use a single subdomain of your company domain as imap/pop3 and smtp server. Use a subdomain of your own company domain like mail.yourdomain.tld for all customers.
I am mostly giving servername as way to connect SMTP or POP. My domain name is florix.com, i have two ISPConfig servers with many domains hosted on it. server names are linode.florix.com and trinity.florix.com. First I will try to resolve the issue of SSL for ispconfig. Then I will see for SMTP/POP
IF I add this two subdomains in my DNS zone file and point to same IP address, will that work? My issue is postfix is using default certificate created by ispconfig, I think i will have to link LE certificate for postfix to work
Read the full post I mentioned earlier and you will figure it out, including how to set up a good cert
