Outlook - A secure connection cannot be established (ISPConfig 3.2)

Discussion in 'Installation/Configuration' started by Cipandales, Oct 20, 2020.

  1. Cipandales

    Cipandales New Member

    Hi,

    I just installed ISPconfig 3.2 (hostname isp.company.com) following the guide https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ and I created a website/email domain (company1.com).
    I configured a different IP for company1.com and the DNS zone is hosted in Cloudflare and not in ISPConfig.

    When I try to setup Outlook, I get the error "a secure connection cannot be established...." - "company.com certificate name does not match input".
    It looks like Outlook sees the cert for the ISPConfig hostname instead of the email server (company1.com) that I created - I checked the new certificate created with Letsencrypt for company1.com and according to SSL Labs everything looks ok (the certs for subdomains like mail, ftp, etc, were not created though).
    Can you please guide me to fix this?

    Also, I noticed that RoundCube is not working with the default config (cannot send email - 250 error). To make it work I replaced "default" with 'tls://isp.company.com' in the following lines in the RoundCube config file (where isp.company.com is the ISPconfig server hostname):
    $config['default_host'] = 'tls://isp.company.com'; $config['smtp_server'] = 'tls://isp.company.com';
    Please confirm that this is correct or there is another better approach?

    Thank you
     
    Cipandales, Oct 20, 2020
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Oct 21, 2020
    #2
  3. Cipandales

    Cipandales New Member

    Hi, Taleman,

    Thank you for your answer.
    I believe that I don't have the same issue. The cert error message is the following:
    Cert Hostname DOES NOT VERIFY (mail.company1.com != ispconfig.company.com. So email is encrypted but the host is not verified.
    ISPConfig creates the Letsencrypt cert only for www. and the hostname and not for mail.company.com (how should I create the LE cert for subdomains?).
    I use the last Outlook version and/or Apple mail.

    Regards
     
    Cipandales, Oct 21, 2020
    #3
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    See the second page of that thread, I posted a explanation on how to use a valid certificate.
     
    Th0m, Oct 21, 2020
    #4
  5. Cipandales

    Cipandales New Member

    Hi, Th0m,

    I see in your instructions that I should "Add eventual other names for your server (e.g. imap.example.com, smtp.example.com) as aliasdomains of the main domain".
    I don't see this option in the ISPConfig configuration - can you please point me to the right place?

    upload_2020-10-21_10-22-55.png

    I am not sure that the issue with the cert mismatch would be addressed by your instructions (Cert Hostname DOES NOT VERIFY (mail.company1.com != ispconfig.company.com. So email is encrypted but the host is not verified.).

    Please advise,
    Thank you
     
    Cipandales, Oct 21, 2020
    #5
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Select none for auto subdomain. In the left submenu, you see "aliasdomains". add the alias domains there.

    It should fix that error.
     
    Th0m, Oct 21, 2020
    #6
  7. Cipandales

    Cipandales New Member

    Thank you for pointing me to the right place.

    I added the subdomain "mail" and the LE cert was issued.
    I still have the same issue with the cert mismatched - "ispconfig.company.com certificate name does not match the input".
    The MX record for company1.com points to mail.company1.com.
    Can you please let me know why the config looks for ispconfig.company.com instead of mail.company1.com (ispconfig.company.com is the host name of the ISPConfig server)?

    Regards
     
    Cipandales, Oct 21, 2020
    #7
  8. Cipandales

    Cipandales New Member

    I also noticed that the new subdomain redirection folder (mail) is not automatically created in /var/www/company1.com/web/.
    I had to manually created.
    Regards
     
    Cipandales, Oct 21, 2020
    #8
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is because the cert you used is not calid for mail.company.com, so you have to create a cert and use that following that steps. If mail.company.com is added to the cert, it will work.
     
    Th0m, Oct 21, 2020
    #9
  10. Cipandales

    Cipandales New Member

    I apologize but I don't understand.
    mail.company.com was added to the certificate (certbot.main:Arguments: ['--domains', 'company1.com', '--domains', 'www.company1.com', '--domains', 'mail.company1.com']).
    The email server hostname is not correct. Should be mail.company1.com instead of ispconfig.company.com, hence the cert mismatching.

    upload_2020-10-21_12-3-31.png

    upload_2020-10-21_12-8-6.png

    Ssllabs confirms that the cert for company1.com and subdomains is created.
    upload_2020-10-21_12-23-15.png


    I didn't have this issue with ISPConfig 3.1.x.

    Regards
     
    Cipandales, Oct 21, 2020
    #10
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I will copy my instructions from the other thread. Follow them and you will have the correct cert.

    You can replace it with a Let's Encrypt certificate following this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    Though I did it in a different way to have a different cert for mail then for the panel:
    - Add website with the hostname of your mailserver to ISPConfig. Check the Let's Encrypt checkbox to acquire a Let's Encrypt certificate.
    - Add eventual other names for your server (e.g. imap.example.com, smtp.example.com) as aliasdomains of the main domain.
    - Verify that the certificate is issued for the site
    - Log in to your server
    - Run this (replace sitename-in-ispconfig.com with the hostname you used):
    Code:
    cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key
systemctl restart postfix
    Then open a new script:
    Code:
    nano /etc/init.d/le_mail_pem.sh
    Paste this in that file (replace sitename-in-ispconfig.com with the hostname you used):
    Code:
    #!/bin/sh
### BEGIN INIT INFO
# Provides: LE MAILSERVER CERT AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE MAILSERVER CERT AUTO UPDATER
# Description: Update mail server cert automatically when a new cert is issued.
### END INIT INFO
cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/fullchain.pem smtpd.cert
ln -s /etc/letsencrypt/live/sitename-in-ispconfig.com/privkey.pem smtpd.key
systemctl restart postfix
    Then install incron:
    Code:
    apt install incron
    Make the script executable and allow root to use incron:
    Code:
    chmod +x /etc/init.d/le_ispc_pem.sh
echo "root" >> /etc/incron.allow
    Open incrontab:
    Code:
    incrontab -e
    Add this:
    Code:
    /etc/letsencrypt/archive/sitename-in-ispconfig.com/ IN_MODIFY /etc/init.d/le_mail_pem.sh
    Credits to @ahrasis for the original code and tutorial.
     
    Th0m, Oct 21, 2020
    #11
  12. Cipandales

    Cipandales New Member

    Thank you for your help.

    Should I do the same for all web domains I'll add to ISPConfig?
    Or is this something that will be addressed in the future update?

    Regards
     
    Cipandales, Oct 21, 2020
    #12
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, your clients should connect to mail.hostingcompany.com and not mail.clientdomain.com.
     
    Th0m, Oct 21, 2020
    #13
  14. Cipandales

    Cipandales New Member

    Do you mean when I configure Outlook I should set the smtp/imap server to mail.company.com (or ispconfig.company.com) instead of mail.company1.com?
    Thank you
     
    Cipandales, Oct 21, 2020
    #14
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, it is best practice to use the same domain name. If you mean company.com is your company and company1.com is a client domain, company.com should be used.

    Furthermore, I would advise to use smtp.company.com for smtp, and imap.company.com (or pop.company.com) instead of mail.company.com solely. If you want to split smtp and imap/pop3 to separate servers in the future, your clients won't have to change their settings. If you want to do that, you have to create DNS records for smtp, imap, and pop, and add them to the SSL cert.
     
    Th0m, Oct 21, 2020
    #15

Share This Page