Let's Encrypt for email issues - Perfect Server Automated ISPConfig 3 Installation (Ubuntu 22.04)

Discussion in 'ISPConfig 3 Priority Support' started by curiousadmin, Jun 23, 2023.

  1. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Hello Team,

    I'm big fan of the "Perfect Server Automated ISPConfig 3 Installation Ubuntu 22.04" however I noticed that for email (SMTP/IMAP) I often get errors (in Thunderbird client) regarding the certificate, I'm not entirely sure why is that since the certificate seems to be extended fine, the validity seems to be fine as well. The SSL certificate for website works fine. So now pretty much every 90 days (maybe in some cycle it works fine - not 100% sure) when let's encrypt issues a new certificate I have to "add exception" into my Thunderbird.

    If you guys have any idea how to debug this (ie how to check that the certificate is actually issued fine?) I'm all for it however I would be perfectly happy (maybe even happier since the issuance is under my control and is valid for 10 years or whatever I choose to set it to) to just use use the self-signed certificate.

    Is there any way to force the self-signed certificate just for email (smtp/imap/pop3) and leave the let's encrypt only for the website (https)?

    Somehow I feel like back in the day when I did the installation manually (ie https://www.howtoforge.com/tutorial...pd-bind-postfix-doveot-and-ispconfig/#g0.0.12 ) the email certificate was always self-signed but maybe I remember it wrong...

    Thank you all in advance.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I don't think this would be a good approach as LE certs for email usually do not cause any issues. Better find out what's wrong with your system and fix that instead.

    I guess that you might have an issue with the certificate chain cert, which then causes Thunderbird not to see LE as a valid cert authority, which then leads to a cert warning after the cert is renewed. Are you currently using Ubuntu 22.04, or a different version ?
  3. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Thank you for the quick followup.

    On the server with ISPConfig3 it's Ubuntu 22.04, on client where the Thunderbird runs it's Ubuntu 20.04, Thunderbird version 102.11.0 (64-bit).
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Use this to make sure certificate is issued or renewed: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
    Examine in Thunderbird what certificate it is using. If it is old expired certificate and not the new certificate on server, try restarting dovecot and postfix on your e-mail server. Examine certificate in Thunderbird again.
    If that does not help, maybe the symlinks for certificate files are wrong?
    Is the e-mail server using as mailname what
    hostname -f
    curiousadmin likes this.
  5. curiousadmin

    curiousadmin Member HowtoForge Supporter

    A few more clarifications / tests I have done:
    1 - This domain (let's call it example.com) has active website and also has email attached to it. The website certificate is fine (www.example.com and variation without www).

    2 - I checked the logs and in /root/.acme.sh/acme.sh.log there is record from 2023-06-23 on certificate file creation.
    Please do tell me what to check specifically looking at https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ it's not very clear what I'm looking for.

    3 - In /var/log/ispconfig/acme.log there is a record for example.com and www.example.com, interestingly enough no mention of mail.example.com which I typically use for the incoming and outgoing server.
    I thought using mail.example.com is best practice (there might be situation where the webserver is different IP than the mailserver) and that ISPConfig would issue certificate automatically. if the best practice (or least headache) is something else please do let me know.
    Using example.com (without the mail.example.com) as incoming/outgoing server also leads to certificate errors.
    My MX record is pointed to mail.example.com

    4 - When I setup my Thunderbird incoming/outgoing servers (smtp/imap) for domain example.com using the server's common name (ie. server1.company.com), which is the same domain I use to visit the ISPConfig administration (https://server1.company.com:8080/login/), then there is no certificate error/mismatch and all works fine.

    I could stick to this I suppose and mark this as solved unfortunately the issue is that instead of upgrading the Linux installation I move my websites and emails between servers every time there is a new OS release (ie when upgrading from Ubuntu 20.04 to Ubuntu 22.04 I would use a new clean installation, use the ISPConfig migration tool and cancel/delete the old Ubuntu 20.04 installation later).
    This seemed as best practice when I did upgrade long time ago: https://forum.howtoforge.com/threads/upgrading-debian-8-jessie-to-debian-9-stretch.83023/

    Not using the mail.example.com as SMTP/IMAP server will lead to reconfiguration on all my devices which is annoying (I would have to switch the incoming/outgoing settings from server1.company.com to server2.company each time I do upgrade to new OS and decommission the old server).

    5 - As for:
    hostname -f
    it shows server1.company.com which is fine and matches the setup I tried for note #4 above.

    Bottom line:
    * I would assume that I need somehow tell ISPConfig and acme that I want certificate for that subdomain mail.example.com (that is used solely for email) and that is the core issue of all this?
    * At the same time though I find it surprising though that if I use example.com as incoming/outgoing server I still get errors when the website certificate is fine, it's just matter of different ports...
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I install ISPConfig server with hostname mail.mydomain.com, and use that name as e-mail server in Thunderbird for incoming and outgoing. ISPConfig creates certificate for the hostname and uses that certificate for services like dovecot and postfix. I find this most straightforward and reliable way.
    It is possible to set certificates in other ways, see old discussions on this Forum.
    curiousadmin likes this.
  7. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Yes that is smart way to do it. I wish I have thought of that.

    Doesn't solve though multiple email domains. You don't want to have as the server something for project1 while it's referring to project2.
  8. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Back to the original question - Yes it is Ubuntu 22.04.

    As I discovered the certificate is not issued for mail.example.com. Is there any way to force ISPConfig as soon the domain is added to the email tab in the administration panel to ask for the proper certificate? I don't want to issue the certificates manually (if it's even possible).
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Actually, any large ISP is doing exactly this. Of course, you do not use a project domain here, you'll use your company domain that provides the email services to these projects, which is also used as the hostname of your system.

    The mail system has one certificate and this cert contains and shall only contain the system hostname, email domains you add shall and are not added to that cert.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Th0m likes this.
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can of course host more domains, but not use them to connect for IMAP and SMTP. So clients can email with clientexample.com, but need to connect to imap.example.com in their mail client.

Share This Page