mail.client1.com mail.client2.com mail.client3.com SSL certificated

Discussion in 'ISPConfig 3 Priority Support' started by Manel Ferré, May 27, 2025.

  1. Manel Ferré

    Manel Ferré New Member

    Sorry I can't explain myself well, I hope someone can understand.

    When you try to set a valid certificate to mail.yourserver.com to manage emails, follow the page
    https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
    it works correctly for the first one.
    My question is the following:
    In a VM with ispconfig, I'm managing 10 domains.
    I want to set each IMAP and SMTP server as mail.client.es.

    What should I do to have a mail.client for each client?
     
    Manel Ferré, May 27, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You must add all subdomains to the website that you use to create the certificate for the email system.
     
    till, May 28, 2025
    #2
  3. Manel Ferré

    Manel Ferré New Member

    Hi
    I've done that... but when I set up email on my phone, I get a certificate error.
    You guys explained how to do it on the page I mentioned in the previous post, but of course, for a single domain.
    Using AI, it suggests:
    and I was wondering if it is like that... should I do it like this?

    Generate SSL Certificates for Multiple Mail Domains (acme.sh + Manual DNS-01 Challenge)
    1️⃣ Install acme.sh (if not installed yet)
    Run this on your server:
    curl https://get.acme.sh | sh
    After that, restart your shell or reload the profile:
    source ~/.bashrc
    2️⃣ Issue the certificate using manual DNS validation
    Run the following command (replace the domains with your actual mail domains):
    acme.sh --issue --dns --yes-I-know-dns-manual-mode -d mail.client1.com -d mail.client2.com -d mail.client3.com
    This tells acme.sh to use the manual DNS challenge for multiple domains.

    ️ 3️⃣ acme.sh will prompt you to create DNS TXT records
    For each domain, it will give you something like this:

    Please add the following TXT record:
    Domain: _acme-challenge.mail.client1.com
    TXT Value: xxxxxxxxxxxxxxxxxxxxxxx

    Domain: _acme-challenge.mail.client2.com
    TXT Value: yyyyyyyyyyyyyyyyyyyyyyy

    Domain: _acme-challenge.mail.client3.com
    TXT Value: zzzzzzzzzzzzzzzzzzzzzzz

    ️ 4️⃣ Go to your DNS provider (Unelink in your case)
    For each domain, create a new TXT record:

    Record Name Record Type Value
    _acme-challenge.mail.client1.com TXT xxxxxxxxxxxxxxxxxxxxxxx
    _acme-challenge.mail.client2.com TXT yyyyyyyyyyyyyyyyyyyyyyy
    _acme-challenge.mail.client3.com TXT zzzzzzzzzzzzzzzzzzzzzzz
    ⏳ 5️⃣ Wait for DNS propagation
    This can take a few minutes (or up to an hour, depending on your DNS provider).
    You can check the propagation using:
    dig TXT _acme-challenge.mail.client1.com +short
    Repeat for each domain.
    Once you see the correct TXT values, proceed.

    6️⃣ Finalize the certificate generation
    Return to your terminal (do not close it!) and press Enter in the acme.sh prompt to continue.

    acme.sh will then validate the DNS records and issue the certificates.

    7️⃣ The certificates will be saved in ~/.acme.sh/
    You’ll find the certificate files here:
    ~/.acme.sh/mail.client1.com/
    ├── fullchain.cer
    ├── mail.client1.com.key
    These are the files you will use in your Postfix and Dovecot configuration.

    8️⃣ Renewal (in the future)
    Every 90 days, you will need to repeat this process:
    make a script that does it for you
    • Run the same acme.sh --issue command.
    • Create new TXT records with updated values.
    • Wait for propagation.
    • Finalize the validation.
     
    Manel Ferré, May 28, 2025
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No. Just add all subdomains to the website you use to create the certificate for the email system. They must exist in DNS, of course, and point to your server. When doing this at a later stage, you must restart Postfix and Dovecot, too.
     
    till, May 28, 2025
    #4
  5. Manel Ferré

    Manel Ferré New Member

    Then
    the section
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /root/.acme.sh/mail.example.com/fullchain.cer smtpd.cert
    ln -s /root/.acme.sh/mail.example.com/mail.example.com.key smtpd.key
    systemctl restart postfix
    systemctl restart dovecot​
    Shouldn't this be done?

    I create the site mail.mydomain.es and check the certificates.
    When I create the new account and in the IMAP and SMTP servers, can I enter mail.mydomain and it will correctly pick up the certificates and I won't get the message that the connection may not be secure?

    Well, on the first client, I was getting a certificate error until I followed the instructions at https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
    On the next one, those instructions stopped working, and I started having problems with the Dovecot and Postfix servers.
     
    Manel Ferré, May 28, 2025
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    If you followed the tutorial, then you must have done that already. I would have stayed with the default setup and not used the small server domain setup you switched to now, which will limit the ability to add larger numbers of domains as you can only add a certain number of domains to a single certificate and if a single one of your clients would change DNS, renewal of all certs will fail now and all clients will get access failures in their mail domains. That's why providers would not use the setup you switched to now and would have stayed with the default setup ISPConfig had set up for you at install time, which was based on server hostname.

    Then you had entered the wrong mail server name in the email client program at that time, so not a server issue. There is a detailed step-by-step guide which explains you how to confure an email client: https://www.howtoforge.com/ispconfig-email-account/ By default, you use the server hostname which is a subdomain of your domain and not a client domain, as that's what all bigger hosters do and it gives you a stable longtime setup. But you have chosen a different setup for small home servers instead of the default provider-grade setup now, so this no longer matters.

    Ok, so you did not follow the whole guide yet. You must check if the cert you link to exists and ensure to follow it to the end to finish the switch to the limited domain setup. It might be that it's now in the *_ecc subdirectory of acme.sh.
     
    Last edited: May 28, 2025
    till, May 28, 2025
    #6
  7. Manel Ferré

    Manel Ferré New Member

    I have 50 clients on a single cPanel.
    The idea is to separate it into three servers plus two large clients that will be on their own server. I manage everything, including DNS. The clients don't do anything, at most, migrating to another server.

    cPanel manages certificates well. It creates a certificate for each client subdomain, and I don't have to do anything. Everything works.
    But of course, it's very expensive. I really like ISPconfig. The only thing missing is precisely that and a file manager.

    Between mobile devices, Outlook, and other applications, I have over 700 applications that I should move from mail.yourdomain to myserver.
    Which is too much work for the migration, so I'm trying to make the server mail.yourdomain so everything is transparent for my clients.
    I only have 50 clients, and they're separated into three ISPconfig servers. I think the limit was 100?


    I swear I followed everything, but I'll check again.
    Thanks.
     
    Manel Ferré, May 28, 2025
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes.
     
    till, May 28, 2025
    #8

Share This Page