How to work with SSL on one server, which read/send the mails from/to more domain ?

Discussion in 'Installation/Configuration' started by Hifik, Sep 25, 2016.

  1. Hifik

    Hifik New Member

    Hi friends :)
    I promised to make a professional post server to my friend.

    So I found and studied Your excellent manual for Debian "Perfect-server-debian-8-4-jessie-apache-bind-dovecot-ispconfig-3-1".
    I made and livened the server with it. The server works in test mode but till now WITHOUT SSL. It works include ISPConfig 3.0.5.4p9.

    The technical requests received from my friend was these:


    1) a professional post server for small internet provider here in Czech Republic - one small town and some villages around.

    2) it will work for about 200 people (mailboxes)

    3) main domain will be only ONE (name of server = postak.vscom.cz ) ...on this main domain will run the server with all services (ex : ISPConfig, web interface Apache2, Postfix (for TLS connections), Courier and Dovecot (for POP3s and IMAPs), and PureFTPd (for TLS/FTPES). etc.

    BUT this server will receive the mails for more domains (see example below):

    domainname2.cz
    domainname3.cz
    domainname4.cz
    ...
    domainname9.cz

    4) connection between the people must be SSL (receiving on the port 995 and sending via 465 or 587)

    5) people will use mail Client software OR webmail (Your Roundcube is already works - very nice !)

    It means: Postfix with other services will receive mail for people mentioned up and put it to the mailboxes on the server.
    for example: somebody will send a mail to [email protected] and this e-mail will be received via mentioned post server ( postak.vscom.cz ) and placed to the local mailbox on mentioned server.

    People (customers) will download mails via POP3 protocol the mails from mailboxes to their PC´s and NTB´s (maybe later also via IMAP ...)
    And the post server (POSTFIX) will send a mail for them, of course ...

    And my questions are:
    How to work in this case with SSL certificate ? Because it is only ONE server for all services BUT works (read them) with mails for more domains.
    Must I have a certificate for more domains OR only for ONE ( main server) ?
    Moreover: my friend already got from his big internet provider (they have from them some public IP addresses) free of charge a certificate for server "postak.vscom.cz", but it was NOT generated via request directly from this mail server. (format of it is that: PFX (for certificate) and PEM (for private key).
    Is it sufficient and usable ? And if Yes, how to implement this to the server? As I know, normal system is to generate request (and private key of course) directly from the final server and certificate, received from the certificate authority, put to the server ...
    Till now post server works on the old Windows mail server, but i must quickly finish my already prepared new Debian server.

    The only problem is SSL certification.
     
    Last edited: Sep 26, 2016
  2. Hifik

    Hifik New Member

    Nobody knows, how to implement already externally generated server certificate by hand ? In time of installation have been generated (on all services like Apache2, Postfix etc.) self issued certificates (as showed in the manual).
    Now I would like to replace them with certificate, which my friend got from his ISP). This certificate has NOT BEEN generated on this server.
    Thanks in advance for any help.
     
  3. sjau

    sjau Local Meanie Moderator

    For postfix/dovect you can either use a cert with a single domain name or one with multiple domain names (SAN).

    I have a seperate Let's Encrypt installation on which I use a bash script to generate SAN certs. In Postfix I then link to them like this (main.conf)
    Code:
    smtpd_tls_cert_file = /etc/ispcSSL/live/ispc.domain.tld/fullchain.pem
    smtpd_tls_key_file = /etc/ispcSSL/live/ispc.domain.tld/privkey.pem
    
    And in dovecote I use this (dovecot.conf):
    Code:
    ssl_cert = </etc/ispcSSL/live/ispc.domain.tld/fullchain.pem
    ssl_key = </etc/ispcSSL/live/ispc.domain.tld/privkey.pem
    
    In order for the ISPC control panel to use the cert, you have to copy them to
    /usr/local/ispconfig/interface/ssl, however I did symlink them:

    Code:
    root@manager ~ # cd /usr/local/ispconfig/interface/ssl
    root@manager /usr/local/ispconfig/interface/ssl # ls -al
    drwxr-s--- 2 root      root      4.0K Sep 28 10:21 .
    drwxr-s--- 8 ispconfig ispconfig 4.0K Aug 26  2014 ..
    -rwxr-x--- 1 root      root        45 Jul 28 15:33 empty.dir
    lrwxrwxrwx 1 root      root        59 Sep 28 10:20 ispserver.bundle -> /etc/ispcSSL/live/ispc.domain.tld/fullchain.pem
    lrwxrwxrwx 1 root      root        54 Sep 28 10:20 ispserver.crt -> /etc/ispcSSL/live/ispc.domain.tld/cert.pem
    lrwxrwxrwx 1 root      root        57 Sep 28 10:21 ispserver.key -> /etc/ispcSSL/live/ispc.domain.tld/privkey.pem
    -rwxr-x--- 1 root      root      3.3K Oct 21  2015 ispserver.key.secure
    
     

Share This Page