Migration of mailing and certificates

Hi,
i need some help as i'm a bit stumped right now... I'm in the final moments before migrating a mailserver to a new ISPConfig setup and within this process the domainname changes. So before it was "company.de" and now it is "company.com". As there are alot of clients out there that use the DNS names like {smtp,imap,pop,mail}.company.de i need to support this but the hostname and mailname of the new system is mail01.company.com.
When i migrate all the stuff over and change the {smtp,imap,pop,mail}.company.de records to the new IP address woulnd't that cause certificate warnings as the client connects to "company.de" but the certificate the server provides is for mail01.company.com?

Do i have to offer both certificates within postfix and dovecot or am i completly lost here?

 

That's not even needed as we have a downtime where no server is accepting mails of 30 minutes anyways so this should work without any issue.
So this seems like a good solution but there is another issue here. As this is a multiserver setup and there is mail02 as mirror of mail01 i need to copy over the certificates to that server too and setup the systemd service that watches the path with the certs there too right?

Note: the DNS records may change the IP via cloudflares "load balancing" which is used to achieve high availability in case one of the servers fail

 

For anyone that might stumbles upon this:

The approach that till suggested is a great idea, however after thinking about it there comes another issue to mind: while it would work well for mail01 in this setup, it will be a hassle for mail02 as there is no easy way to integrate the hostname into the certificate that comes to mind. Although it is possible to create wildcard certificates with LE it makes a much more complicated setup.
To make this still possible without that much of an hassle, one could use Postfix and Dovecots SNI (Server Name Identification) feature where you can use specific certificates for each hostname you define.

However you could even use a commercial Wilcard SAN certificate as well as already mentioned by @till
There are SAN and Wildcard SAN certificates. With the Wildcard SAN for example one could use "*.company.de" and "*.company.com" in one certificate.

 

Quite but not really.

LE also support up to 100 domain per one cert.
Read: https://community.letsencrypt.org/t/wild-card-san-certificate-is-available/61982

 

Sure but this does not help in this context. It makes the setup way more complex as mail02 is a completly seperate host. There are a few things you could do to also add mail02 to the certificate but it either needs manual intervention or a quiet hacky approach. Or do you have a simple solution for it?

 

Silly. Of course not, if clean, fully automated and non-hacky approach is what you really want.

 

Yes, i opt for a clean setup, as i'm not the only maintainer and want to keep thins as simple as possible and if it is way easier to spend 250€ annualy and have a single cert that works than i prefer that. I like the KISS approach when it comes to setting up servers

 

Well i've tested some stuff in the meantime and found a greate solution for the problem but need some help setting up the ISPConfig stuff.

acme.sh offers the possibility to obtain certificates via a DNS alias mode. This means that if I have another "validation domain", I can validate certificates for the main domain via this validation domain. With a TXT entry and a CNAME entry on the main domain, certificates can be issued in this way. For example:

Code:

TXT _acme-challegne.validationDomain.tld
_acme.challegene.mydomain1.tld IN CNAME _acme-challegne.validationDomain.tld.
_acme.challegene.mydomain2.tld IN CNAME _acme-challegne.validationDomain.tld.

To automate this process i've migrated the validation domain to cloudflare and created a API Token with permissions for this zone and the records of the zone. Setting up acme.sh with the token, account id and zone id i was able to use the automated DNS Challenge mode like that:

Code:

acme.sh --issue  \
  --challenge-alias validationDomain.tld --dns dns_cf \
  -d  *.myDomain1.tld \
  -d  *.myDomain2.tld

And it worked! I've got the certificate and the X509v3 Subject Alternative Name field contains both DNS *.mydomain1.tld and *.mydomain2.tld.

So now to the problem/question. How can i use my own acme.sh configuration for the domain without interfering with the setup. The config currently used is /root/.acme.sh/mail01.mydomain1.tld/mail01.mydomain1.tld.conf. It contains the configuration:

Code:

...
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/usr/local/ispconfig/interface/ssl/ispserver.key'
Le_ReloadCmd=''
Le_RealFullChainPath='/usr/local/ispconfig/interface/ssl/ispserver.crt'
...

This key and crt file is symlinked to Postfix/Dovecot. Would it be sufficient to just remove the symlinks from Postfix/Dovecot and symlink them to the new path in /root/.acme.sh/? As mail02 is a mirror i will monitor the certificate path with a systemd unit and copy them over to that host too as soon as the files change.

Would love some feedback and insight

 

You don't need to copy LE certs if you are using dns-challenge as any ISPConfig server can issue their own LE certs the same way. At least that how I'll do it and that is why I have been advocating it since the beginning.

 

Fair point but i dont need to issue them twice if i can just copy them over securly via ssh. And it isn't much of a hassel anyways:

Code:

mailcer-sync.service:
---
[Unit]
Description="Run script to copy certificates to mail02"

[Service]
ExecStart=/usr/local/bin/mailcert-scp.sh


mailcert-sync.path:
---
[Unit]
Description="Monitor the Certificate file for changes"

[Path]
PathModified=/root/.acme.sh/XXXX
Unit=mailcert-sync.service

[Install]
WantedBy=multi-user.target

Still what it need to know is when i override the symlinks will it affect ISPConfig in any way, and is it persistent on updates?

 

I would only think that it is safer for each server to request their LE certs on their own but I am not against it either.

I still remember that I suggested this ssh copying methods for multi server setup when I introduced the way to secure ISPConfig server with LE certs, though much have changed so did my approach and preference in this regard mainly to avoid any failures or interruptions of services.

Since my servers are using certbot, for me, I will simply use and customize ISPConfig default hooks for server FQDN LE certs instead of creating all that systemd approach etc and that is another reason why I won't copy the same.

And I think it is still possible for you to use the same method i.e. if you modify the server LE pre-hook and post-hook code accordingly.

Note that I did not change from incron to systemd when incorporating my guide into ISPConfig to avoid any possible LE failures but instead adopted the hook method since it is easily customizable.

Anyway, you are well versed in this, and this is just me pouring some ideas without really going deeply into it, so I think you can figure out the best suitable way for you.

 

Well i had some more thoughts about this and maybe it isn't that bad of an idea to request them on each server. This would make the setup "simpler" at least for someone that does not know anything about the setup, because tbh no sysadmin is going to study the services that are running as a first debugging step. I'm going to test it and might just stick with that approach.
Nontheless i'm surprised that DNS Alias Mode is even a thing, simple yet so usefull in some cases