I currently have a single (well in fact two) older ISPConfig single servers set up, currently hosting web and email for 5 different domains. I'm planning on migrating those domains to a new "Perfect Multiserver" configuration. Have never played with the multiserver setup before but in doing a quick preliminary read through the docs I've just got a few questions. In the firewall configs on the various servers... - why does SSH port 22 need to be open in the firewall on all of them? - why do web ports 80/443 need to be open on the mail server? In terms of the SSL certificates for the mail server(s)... - In my existing configuration each of the existing email domains are configured on the mail server with their own IP and within postfix are configured with transport maps to ensure that the mail outbound from that domain leaves the network on its own specific IP address (to, among other things, prevent one domain from doing something stupid and getting everybody blacklisted somewhere). The existing servers have been around forever and so we've never had any SSL certificates on the email. In looking at some of the config notes on the SSL configuration it talks about listing all of the alias hostnames for the certificate... but in my case I'm not only going to have mx1.example.com + smtp.example.com + imap.example.com + mail.example.com on the mailserver but also the same four for domain1.com and domain2.com and domain3.com, etc How do I deal with configuring those certificates and/or configuring them to the server? - How are the certificates dealt with for the mx2 server... is that a completely separate set of certificates that needs to be generated? I'm sure I'll have more questions once I start on the install process but these are the couple of things that jumped out at me from the install docs. Thanks for any insight. Mike
This is for you to administer the servers, and possibly clients to manage their websites. It is possible you don't need this, if you have those needs covered otherwise. These could be used to obtain a letsencrypt certificate, and in some setups webmail it even the rspamd ui are accessible there. I have one mail server where apache on port 443 reverse proxies to the dovecot rest interface. It is possible you have none of these use cases and don't need these ports open. Do you intend to keep separate ip addresses for each domain's email? You only need to have the hostnames in the certificate which are actually used by mail clients, and if you only have those five domains you could get by with a single certificate to cover them all. What does your mx2 server do? If it is only an mx, a single certificate for the server's hostname would likely be fine.
Thanks for the quick response Jesse. Yes, I'll definitely continue to assign separate IP addresses for each client's email. Never again do I want to have the experience of a mail user getting the mailserver IP blacklisted and having 10 different clients screaming at me for half a day until I could get the IP delisted... if they take themselves out for a day, that's on them It's probably worth clarifying that actually none of these servers will hang directly out on the internet. As a general rule each client is assigned a single WAN IP address that is used for ALL of their services, the router shuffles port-based traffic to one (or more) LAN addresses depending on the client and their utilization. Thinking about it, in this scenario it would seem like I should have a certificate for each client containing ALL of their hostnames, not only for mail but for webmail, www, etc since from the outside world it all appears as a single server. Is it possible to have one catch-all certificate for a client and then use it on the 3 or 4 separate servers assigned to them on the LAN side? At this point I'm up in the air as to whether I'd even go with an mx2 server. While it does provide some redundancy if the mailserver itself goes down, unless it is also on a disparate network (much like DNS) the value of the secondary is limited. If I did go forward with it, there would likely be separate IP addresses (LAN side) for each client much like MX1. WAN-wise I can see that on this server it could potentially be a mix of a shared IP for most and some individual IP's (in this case differing from the client's primary IP) depending on the individual client. I have had clients in the past who needed either partial or full e-mail redundancy, though currently I don't... kind of a question of trying to build it in later if I do need it, or just get it done now while I'm building the rest of the servers.
You can use a wildcard certificate, or request a certificate which covers all the hostnames you want. Normally requesting such a certificate from letsencrypt doesn't work on a multi-server setup, but it actually might in your setup where you assign the client IP to your router and port forward around. Distributing those certificates to your multiple servers and restarting services will be a local task you will have to setup, and of course all the mail config using specific ip's for specific clients.
