Enable lets encrypt for IMAP and POP

Discussion in 'General' started by florix.net, May 23, 2022.

  1. florix.net

    florix.net Member

    I am using ispconfig with LE on centos 7

    we have 50+ domain hosted on server.

    My users always face issues on iOS while configuring their emails. can someone help me to resolve issues related to SSL/STARTTLS?

    Any link to step by step guide will be of great help.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What are the issues?
    My signature has link to e-mail setup Tutorial.
    Dennis_sp likes this.
  3. florix.net

    florix.net Member

    issue is
    if I check ssl of florix.net or www.florix.net it shows perfect certificate.
    but if I check mail.florix.net, it should default invalid certificate created by ispconfig.

    in DNS, all subdomains point to same IP address
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    www.florix.net and mail.florix.net are two separate hostnames. If they both need to be included in the same certificate, make one alias to the other and check ISPCOnfig setting so it is included in the same certificate.
    On the other hand, if the hostname is mail.florix.net, ISPConfig automatically gets LE certificate for it, and that certificate can be used in postfix and dovecot. Run ispconfig_update.sh --force and choose to get new certificate.
    One way is to create website mail.florix.net and let ISPConfig create LE certificate.
    There is an outdated tutorial, not to be used with ISPConfig 3.2: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    sounds like you're setting the dns to be mail.<clientdomainname.tld> for each of your domains.
    it can be done this way (postfix SNI) but not currently directly in ispconfig.

    your better option right now would be to set the mx records for all those domains to mail.<yourmaindomainname.tld> so everyone uses the same mailserver hostname.

    with the release of ubuntu 22.04 pure-ftpd should now include the pure-certd binary, allowing pure-ftpd to do SNI now, not sure if debian 11 includes this yet, but that may give more incentive/inclination to put full SNI support for services other than apache into ispconfig going forward.
  6. florix.net

    florix.net Member

    this is good idea to create mail.florix.net .. but I have more than 20/25 domains on this server. My issue is if

    mail.domain.com and www.domain.com points to same IP and www.domain.com is showing proper LE cerficiate, then why mail.domain.com shows default certificate created by ispconfig?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    It is not recommended to use subdomains of a virtual mail domain (customer domain) to connect to your POP3 or IMAP server as this does not scale well. A Let's encrypt SSL cert can contain max. 100 domains incl. subdomains, so if you would e.g. assign each customer domain a pop3, imap and smtp subdomain, then your mail server is capable of hosting max 33 customers overall and you would have to change the cert for all customers each time one customer changes it's domain or you get a new customer. So if you plan to have a larger setup with more customers, do it like most larger hosters are handling this by telling your customers to use a single subdomain of your company domain as imap/pop3 and smtp server. Use a subdomain of your own company domain like mail.yourdomain.tld for all customers.
    florix.net likes this.
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  9. florix.net

    florix.net Member

    I am mostly giving servername as way to connect SMTP or POP.

    My domain name is florix.com, i have two ISPConfig servers with many domains hosted on it.

    server names are linode.florix.com and trinity.florix.com. First I will try to resolve the issue of SSL for ispconfig. Then I will see for SMTP/POP
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I'd recommend using smtp.florix.com and imap.florix.com in that case.
    florix.net likes this.
  11. florix.net

    florix.net Member

    IF I add this two subdomains in my DNS zone file and point to same IP address, will that work?

    My issue is postfix is using default certificate created by ispconfig, I think i will have to link LE certificate for postfix to work
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Read the full post I mentioned earlier and you will figure it out, including how to set up a good cert ;)
    florix.net likes this.

Share This Page