I have an ISPConfig instance with multiple domain aliases set for mail.clientdomain.com of every of my clients domains to point to my host domain (host.mydomain.com) in order to share the Let's Encrypt certificate of the host with all these mail domains (they go in the SAN field of the certificate). I haven't found a better way to do this with ISPConfig. Is there? My problem is, however, that for every new client, i must configure a domain alias like that for their mail.clientdomain.com to point to my host domain and then restart postfix and dovecot services so they can load the newly generated LE certificate with the new client's domain included in the SAN field. If there isn't a better way to provide my host certificate for every client's mail domain, is there at least a way to automate this, i.e. auto-add a new domain alias upon addition of a new site in ISPConfig and auto restart both mail servers?
Let's Encrypt automatically adds aliasdomains to the certificate. LE renew has hooks that allow you to configure what happens before, during and after certificate renew, for example stop or start services. https://www.howtoforge.com/community/threads/lets-encrypt-lots-of-errors-in-standalone.79363/
Take a look at https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ Automatically adding alias could be done by writing a API script. But I recommend using smtp.example.com and imap.example.com and have clients connect to that instead of their own domain. At a certain point you reach maximum of alias domains for the cert and clients can see who's hosted by you if they look at the cert details which is unprofessional imo.
The preferred way is as said by @Th0m i.e. always connect via server's domain(s) not client's domain(s), that way it will be easy to setup and maintain. Adding client's domain should only be provided as a premium service for the hassle that you'll be facing in setup and maintenance. This is where ISPConfig multiserver setup become very useful and powerful in managing such a premium setup.
One solution would be to create a server plugin. You would have to decide what event it fires on, eg. when you add a dns zone, or when you add a mail domain. You need to have dns setup and answering before requesting the certificate to be set up, so might need to queue the job or sleep a bit and maybe test dns. Another option could be to query what mail domains there are from a cronjob, test dns for those, and request a certificate with all the names which are currently setup. That would eliminate queuing the task for later, but would also have more of a delay in the certificate being setup. As noted, there is a limit on number of domains per certificate, as well as various request limits that you wouldn't want to hit with your automated requests.
like some others who were new to ispconfig, I come from imscp. there was an option in the admin panel to add DNS names to the Lets Encrypt certificate for mail / FTP. It might be difficult to code, but it was very easy to use.
This is possible with ISPConfig aswell, I mentioned the tutorial for that in #3 and in that tutorial I also refer to a other tutorial which explains how you can set this up for other services like PureFTPd.
