ISPconfig-3.2.11p2 and Thunderbird

Discussion in 'Installation/Configuration' started by Michel-André, Jun 5, 2024.

  1. Michel-André

    Michel-André New Member

    Hi all,
    I am writing a document on the installation of ISPconfig for the registered customers of my web site.
    The goal is to use ISPconfig as a home server.

    On a Proxmox-8.2.2 running a Debian-12 LTS virtual machine (, I installed ISPconfig following the ISPConfig auto-installer (Perfect Server Automated ISPConfig 3 Installation on Debian 11 and Debian 12, Ubuntu 20.04 and Ubuntu 22.04). No reseller stuff, mainly web sites and mail (Fail2ban, etc, OK).
    My main web site on ISPconfig is
    Everything is working as it should.
    I can connect to the web site from LOCAL LAN using Firefox and from the internet using TOR.
    I can connect to webmail from LOCAL LAN using Firefox and from the internet using TOR.
    I can send/receive mail using Thunderbird from/to anybody from LOCAL LAN and from the internet.
    A regular Thunderbird user can receive and respond to mail from/to a webmail user of ISPconfig.

    The only problem I have is to create a new mail user (from ISPconfig) in Thunderbird.

    When creating the user in Thunderbird, it finds the user giving and port 465 with SSL/TLS and normal password; and port 993 with SSL/TLS and normal password.
    After the creation of the user, Thunderbird cannot connect to ISPconfig to check for mail.
    I tried all king of modifications for ports and other parameters.

    The used certificate displayed in Thunderbird is the ISPconfig default one with the DE name at the top of the certificate and does not contain any reference to

    A friend using the exact same setup as mine has no trouble creating an Outlook user.

    What is the best way for the creation of a certificate in ISPconfig that will contain mail, smtp, and imap.
    How to assign it to the mail of the web site
    I tried adding the Aliases smtp and imap to domain but the certificate does not contain any references to those.

    What is the best way to create the certificate for the managing page and the ones for the mail/web sites.

    Is there a way to use the staging Let's Encrypt server so to not go over the 5/7 limit?

    Is there documentation for Let's Encrypt and ISPconfig?

  2. Well-Known Member HowtoForge Supporter

    It is not a bad practice to use the main MX server as host for the domain. If you like to have thunderbird know where/what services are
    would be needed.
    Configureing SNI in Dovecot is probably more difficult. Maybe Outlook does already prefer the MX entry as default host?

    Regarding the cert, maybe @till can correct me on that for ispconfig
    Can you verify "/etc/postfix/" step => Uncomment the submission and submissions sections as follows ?

    which ports are used?
    netstat -tulpen
    ufw status
  3. Well-Known Member HowtoForge Supporter

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    See Let's Encrypt error FAQ to find out why Let's encrypt refused to add the subdomains to the SSL cert:
    ahrasis likes this.
  5. Michel-André

    Michel-André New Member

    Hi & Till

    Thank you both for your posts.
    What can I do to be able to post a link in a post???
    I found an example for IMAP : I CANNOT POST THE LINK HERE...
    <clientConfig version="1.1">
       <emailProvider id="">
           <displayName>TITRE-Messagerie de</displayName>
           <incomingServer type="imap">
           <outgoingServer type="smtp">
           <documentation url="">
               <descr lang="de">Allgemeine Beschreibung der Einstellungen</descr>
               <descr lang="en">Generic settings page</descr>
           <documentation url="">
               <descr lang="de">TB 2.0 IMAP-Einstellungen</descr>
               <descr lang="en">TB 2.0 IMAP settings</descr>
    On Ubuntu 22.04, kmail see the title: TITRE-Messagerie de which means the file is reachable and kmail read the file
    But, kmail is complaining about the certificate.
    Then, you can redo the SSL cert creation for the system-wide SSL cert at any time using the following command:
    Code: --force
    Checking ISPConfig database .. mysqlcheck: Got error: 1698: Access denied for user 'root'@'localhost' when trying to connect
    ERROR 1698 (28000): Access denied for user 'root'@'localhost'
    Unable to call mysql command line with credentials from mysql_clientdb.conf
    The file: /usr/local/ispconfig/server/lib/mysql_clientdb.conf had the original password for superuser root whiich I changed when I installed ISPconfig.
    I was able to connect to: I CANNOT POST THE LINK HERE... with the new password I changed after installation.
    I changed for the new password in mysql_clientdb.conf and did another --force and it worked this time.
    The problem is still there and I am quite sure it is the certificate of the that is not right.
    There is my main NethServer connected to the ADSL modem and I configured it to redirect everything it receives from the internet for to local ISPconfig server on
    I did request a LE certificate for NethServer in the name of and attached it to all redirected links.

    With TOR, that is the certificate it sees when accessing

    With Firefox on LOCAL LAN, it receives the real LE certificate from which is different from the one used by the NethServer.

    Maybe that is the problem of the certificate with Thunderbird.

    I will replace the NethServer certificate with the one from

    I will create a drawing of my network and post a link to it. It will be easier to understand.

    Any suggestions?

    Last edited: Jun 6, 2024 likes this.
  6. Well-Known Member HowtoForge Supporter

    What steps regarding the web certificate did you do after changing the password in the file and make the cron run properly again?
    Are there any more errors in the ispconfig logs you can see in the web interface?
    Have you tried turning it off and on again ;) I mean the SSL/LE checkboxes for the ISPConfig website.
  7. Michel-André

    Michel-André New Member


    Thank you for your reply.

    The ispconfig.log files look all empty ???
    There is no error in the Let's Encrypt log. It asked only the web certificate not the one for the FQDN.

    For the check box, I don't want to touch it as I might be near the limit of LE 5/7.
    If I were able to use the staging LE, it will be another story.

    I once had Thunderbird running correctly by requesting certs directly with the script and ajusting the links of some files.
    Thunderbird was OK but I was not able to connect to the manager or web site anymore.
    I thiink I missed to ajust some links somewhere.

    I wish it would be as easy and complete as with Proxmox VE (the best Let's Encrypt implementation I ever saw).

    Do you know all the links to ajust for the certificate or how to force sub-domains (smtp, imap) to be included in the cert?

    I don't want that little Thunderbird problem as a show stopper for my documentation project :)

  8. till

    till Super Moderator Staff Member ISPConfig Developer

    With ISPConfig, it's fully automated, so it can't be easier. Your problem is not ISPConfig here; it's your network setup and that you want to use a wrong subdomain to access email in Thunderbird. ISPConfig is a control panel for hosting providers in data centers. It is typically run on servers directly connected to a public IP address, and the system hostname must be reachable from the internet on port 80 by Let's Encrypt to verify the SSL cert. As usual, for hosting setups, you use the system hostname for clients to connect to it, and the SSL cert is issued for that hostname by default. See here on how to create an email account in Thunderbird: and which name to use for imap and smtp.

    The link I posted above regarding SSL for email is not used on any standard installation as it's not needed and does not make much sense, but as some users want to use other names in mail connections instead of the hostname e.g. when used at home or in office and not at a hosting provider, then you can use that setup.

    That's what I posted in #4:

    As mentioned, it is not a recommended setup, but you can do it easily like that. Just do not touch manually, if your setup is not broken right after you manually ran, it will likely break on next cert renewal. So either use the default SSL cert as recommended, or follow strictly this guide, but in any case, do not manually run to certbot to create the certificate.

    Ok, this must clearly break your system. Not sure if it makes much sense to try to help you from here on, you should just reinstall and do not manually mess with SSL certs, instead use the default cert and the correct name for mail connections, which is the hostname you have chosen before you installed ISPConfig. and take care that your system is reachable from the internet so LE can verify the SSL cert for the hostname.
    ahrasis likes this.
  9. Well-Known Member HowtoForge Supporter

    Depending on your DNS provider, you could spin up a cheap acme-vps for yourself and use with dns plugin,
    have a trigger calling ispconfig api to update ssl certs, set them to manual for this case.
    that is better than tampering with the ispconfig setup

    use the domain.tld as name and add a -d *.domain.tld to get a wildcard one
    ./ --issue --dns dns_inwx -d -d * --debug
    you can check acme dns api to see how to provide the username and password via export
    or use manual/custom dns.

    If you need something for powerdns, I use this personally
    Edit: ugh that setup is old... it is actually using certbot ( mine ) did not have the priority to fix that :D
    Last edited: Jun 7, 2024
  10. Well-Known Member HowtoForge Supporter

    Just to make it clear, I meant running on an isolated cheap server and call the ispconfig api
    from there to use a manual wildcard cert for a domain.

    on the long run: check your setup with tor and having the password changed afer setup. Maybe this or the manual tampering might have broke something. Also what @till said ;)
    Last edited: Jun 7, 2024
    till likes this.
  11. Michel-André

    Michel-André New Member

    Hi all,

    Since 2003, I have always used the SME/Koozali/Nethserver server for a complete all-in-one system. Unfortunately since the CentOS adventure, NethServer will be in EOL at the end of June 2024.
    To replace NethServer, I chose ISPconfig because it is the closest one to NethServer. ISPconfig is the best server for a small and medium business system as well as for a home server.

    After my adventure trying to create a Thunderbird account for an ISPconfig user and after the wise advices received on this forum, I restarted the complete installation of Debian and ISPconfig following my documentation. Everything worked perfectly.

    For creating the Thunderbird account, I followed Till's excellent video "How to Add an Email Account in ISPConfig 3.2" and it didn't work.

    Last night I dreamed about this problem. When I woke up this morning, I realized that a server on a LOCAL network cannot request a Let's Encrypt certificate. This is why the script was originally created. This script allows you to use DNS challenges instead of the well-known directory challenges. I have installed dozens and dozens of test servers on local networks. I've always used the script and DNS challenges; It has always worked without exception. I don't understand why I didn't realize this fact immediately. Shame on me.

    This morning, I used the script and its DNS challenges to create a test certificate for and another one for I created links for some files to point to these test certificates. I copied the test certificate files from into the web site in the ISPconfig manager. Checking access to ISPconfig manager, webmail etc, everything was working and using the test certificates.

    Without changing anything, I requested production certificates and this time I only copied the production certificate into the WEB site in the ISPconfig manager. Everything works and uses production certificates. I was able to create the Thunderbird account and it can receive/send emails everywhere: from/to local users and the Internet.

    All that remains is to automate the renewal of certificates and ISPconfig will work perfectly. I took a good look at Till's article "How to run commands on File or Directory changes with Incron on Ubuntu 16.04" and adapting it should solve the problem.

    I will open a new post for this procedure.

    Thank you all,

    till likes this.

Share This Page