If you have your hosts FQDN in ISPConfig and made a valid Letsencrpyt-Cert for it, you can use it for mail, too. as described in https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/ use the guid mentioned above for your fqdn certs, don't use the paths I have chosen here , I'll update if I have time...however, it works together update your config files for dovecot,postfix and pureftp using this script: /usr/local/bin/fixserviceconfigs.sh Code: #!/bin/sh hostname=`hostname -f` postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem" postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem" postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem" postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem" postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem" postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem" postconf -e "tls_preempt_cipherlist = yes" postconf -e "smtpd_tls_mandatory_ciphers = high" postconf -e "smtpd_use_tls = yes" postconf -e "smtpd_tls_security_level = may" postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3" postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols" postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols" postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3" postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3" postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "smtpd_tls_ciphers = medium" postconf -e "smtp_tls_ciphers = medium" postconf -e "smtpd_tls_eecdh_grade = strong" postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL" postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL" postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache" postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache" postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem" postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem" postconf -e "policyd-spf_time_limit = 3600" postconf -e "opendmarc_milter = unix:var/run/opendmarc/opendmarc.sock" postconf -e "smtputf8_enable = no" postconf -e "bounce_notice_recipient = postmaster@$hostname" postfix_master_conf=`cat /etc/postfix/master.cf` if [[ $postfix_master_conf != *"policyd-spf"* ]]; then postconf -M policyd-spf/spawn="policyd-spf unix - n n - 0 spawn user=nobody argv=/usr/bin/policyd-spf" fi postconf -e "policyd-spf_time_limit = 3600" smtpd_recipient_restrictions=`postconf -p smtpd_recipient_restrictions` if [[ $smtpd_recipient_restrictions != *"check_policy_service unix:private/policyd-spf,"* ]]; then sed -i 's/reject_unauth_destination,/reject_unauth_destination,check_policy_service unix:private\/policyd-spf,/' /etc/postfix/main.cf fi postconf -P "smtp/inet/smtpd_milters=\${opendmarc_milter}" postconf -e "opendmarc_milter=unix:var/run/opendmarc/opendmarc.sock" echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite dovecot_conf=`cat /etc/dovecot/dovecot.conf` if [[ $dovecot_conf != *"!include conf.d/10-ssl.conf"* ]]; then echo "!include conf.d/10-ssl.conf" >> /etc/dovecot/dovecot.conf fi /usr/sbin/service postfix reload /usr/sbin/service dovecot restart /usr/sbin/service pure-ftpd-mysql restart Modify /etc/dovecot/conf.d/10-ssl.conf Code: ssl = yes ssl_cert = </etc/letsencrypt/live/<FQDN>fullchain.pem ssl_key = </etc/letsencrypt/live/<FQDN>/privkey.pem ssl_dh_parameters_length = 2048 ssl_protocols = !SSLv3 ssl_cipher_list = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv3 ssl_prefer_server_ciphers = yes it can be used using incron on dovecot.conf ect. so these settings won't get overwritten for a long time If you run postfix in chroot, well you need to copy some files of course. Add a cronjob /etc/cron.daily/fixcerts ( change <FQDN> again ) Code: #!/bin/sh cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/ssl/private/pure-ftpd.pem #cat /etc/letsencrypt/live/<FQDN>/privkey.pem /etc/letsencrypt/live/<FQDN>/cert.pem > /etc/monit/monit.pem #chmod 600 /etc/monit/monit.pem chmod 600 /etc/ssl/private/pure-ftpd.pem cd /etc/postfix umask 022 openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem chmod 644 dh512.pem dh1024.pem dh2048.pem openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048 rm /var/lib/dovecot/ssl-parameters.dat /usr/sbin/service postfix reload /usr/sbin/service dovecot restart /usr/sbin/service pure-ftpd-mysql restart You don't need the monit part, did I mention I'm lazy as f ... make it executable and run it at least one Code: chmod +x /etc/cron.daily/fixcerts /etc/cron.daily/fixcerts so what about mysql? This works for mariadb 10.3 using debian 9 assuming the ispcerts have been symlinked according to your script. Code: cp /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/mysql/mysql.pem openssl rsa -in /usr/local/ispconfig/interface/ssl/ispserver.key -out /etc/mysql/mysql.crt chown mysql:mysql /etc/mysql/mysql.crt chown mysql:mysql /etc/mysql/mysql.pem chmod 400 /etc/mysql/mysql.crt chmod 400 /etc/mysql/mysql.pem and no, you can't simply symlink those, it won't read. change your /etc/mysql/mariadb.conf.d/50-server.cnf service mysql restart
Hi, as you can see i have a related dovecot/postfix issue. The problem with your setup is it will break after an ISPConfig update as the dovecot.conf and the postfix/main.cf get replaced/overwritten. I also would recommend leaving the paths to the certificates unchanged and create a symlink at the path of the certificates that points to the letsencrypt directory.
You can make changes persistent by copying ISPConfig conf files to conf-custom files and making the changes there.
I've made conf-custom files for both postfix and dovecot and they worked; make sure you have the correct filename as sometimes there are several similar ones and it's not always clear exactly which you need without testing it. Yes, likely so
Hello, I go a letsencrypt Certificate for mydomain.de. When I made the changes I get an Error when I test the mailserver. Cert Hostname DOES NOT VERIFY (mail. mydomain.de != mydomain. de | DNS:mydomain. de | DNS:www. mydomain .de) Do I have to make additional changes in DNS configuartion with the hoster oder any changes on my configs ? regards, Ralph
if the cert doesn't match it's not the same your server has a hostname, maybe a seperate mailname. The mailname is set in postfix' main.cf and should be the same name as the IPs reverse DNS is resolving to. And for that name you'll need a SSL cert which can then be used. If you use the mailname to connect to your mailserver, there shouldn't be a cert issue.
OK, in main.cf there are two sections myhostsname sxxxxx.providernameverver.de mydestination = sxxxxx.providernameverver.de, localhost, localhost.localdomain My domain ist mydomain.de where should I change.
I assume numbers where the x are. Unfortunally having numbers as part of subdomains often triggers dial-up anti-spam filters. Basically you shouldn't need to change anything there, just create a LE cert ( create a website, tick SSL/LE ) and use it for your services. You can change it to something like mail.yourdomain.de , you need to have a valid A/AAAA record for mail.yourdomain.de ; RDNS of the IP should point to mail.yourdomain.de and then change the sxxx entry to mail.yourdomain.de & make sure your mailserver greets you with that name.
The numbers are given from the provider in order to use it before any domain ist registered (i think) I created the LE cert with ispconfig and pointed it to postfix, there are some tutorials here, so I thougt I can use ist for mail and the Server itself. They even write ist so. LE also provides wildcard certificates, maybe I should use this, but how. I changed in the main.cnf (postfix) to mail.mydomain.de nothing changes, same error. I think the reverse lookup gives the mydomain.de and not mail.mydomain.de I have in the dns configuration only a A record, there never has been AAAA record. So your idea is to create with ispconfig a site with mail.mydomain.de and create the LE/SSL. Then point postfix certificate to the live cert in LE ? regards, Ralph
yes, but this one is actually a good idea to consider: if you don't take part of the glorious ip-future, you don't have to use AAAA if you can't change the reverse DNS entry of your IP, don't change the greeting of your MTA - it has to match. Ask your provider, some have no function for that using their web interface but do change it on request ( if you want to change the default that is ) edit: oh and this one: didn't know this feature existed ... need to check it - would be happy as f ... yeah debian users loves the pain
Hy, I got now a new Problem after all seems to work fine. After I checked my Domain with mxtoolbox I get an error. I enterd the test with mydomain.de smtp mail.mydomain.de Reverse DNS Resolution - No PTR Record found I dont know where to set the PTR record, is it made in the DNS konfiguation at the provider ? Ralph
if you don't have an option to set your PTR/rDNS record you might need to contact your provider and ask to set it. you can check your current entry using Code: $dig +noall +answer -x 8.8.4.4 which gives you google-public-dns-b.google.com. as rDNS:
This commad does not work on may debian system The command gives a blank line back, seems the ptr is not set. maybe i have to ask the provider
I try to specify the Problem, I dont know if its right here in this Thread. I have a LE certificate for my domain mydomain.de An other LE for mail.mydomain.de I use a vserver and the internall servername is : v9339166.providernameverver.de I have more than one domain on it In the postfix main.cf is : myhostsname v9339166.providernameverver.de Now I got an error when sending mails : host mx00.kundenserver.de[212.227.15.xxx] refused to talk to me: 554-kundenserver.de (mxeue011) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx May 28 13:25:00 v9339166 postfix/smtp[32275]: 7806A9E4A2: to=<[email protected]>, relay=mx01.kundenserver.de[217.72.192.xxx]:25, delay=0.09, delays=0.01/0.01/0.07/0, dsn=4.0.0, status=deferred (host mx01.kundenserver.de[217.72.192.xxx] refused to talk to me: 554-kundenserver.de (mxeue111) Nemesis ESMTP Service not available 554-No SMTP service 554 invalid DNS PTR resource record, IP=185.158.212.xxx) The MX record is : mydomain.de 3600 IN MX 10 mail.mydomain.de TX record mydoman.de 3600 IN TX 0 v=spf1 mx a a:mx.providername.de ~all
it is all correct - and you're right, you may not have a PTR record at all, go speak with your provider. and read the logs... it screams
I contacted my provider and he showed me to configure the PTR. Right now all workes fine. Thanks, Ralph
I have not found anything I could abuse to make ispconfig be aware on few config options for postfix, maybe need a custom-conf plugin like for php/apache... However I changed the cron slightly: Code: #!/bin/sh hostname="<fqdn>" postconf -e "smtp_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem" postconf -e "smtpd_tls_CAfile = /etc/letsencrypt/live/$hostname/chain.pem" postconf -e "smtpd_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem" postconf -e "smtpd_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem" postconf -e "smtp_tls_cert_file = /etc/letsencrypt/live/$hostname/fullchain.pem" postconf -e "smtp_tls_key_file = /etc/letsencrypt/live/$hostname/privkey.pem" postconf -e "tls_preempt_cipherlist = yes" postconf -e "smtpd_tls_mandatory_ciphers = high" postconf -e "smtpd_use_tls = yes" postconf -e "smtpd_tls_security_level = may" postconf -e "smtpd_tls_protocols = !SSLv2,!SSLv3" postconf -e "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "tlsproxy_tls_protocols = \$smtpd_tls_protocols" postconf -e "tlsproxy_tls_mandatory_protocols = \$smtpd_tls_mandatory_protocols" postconf -e "smtp_tls_protocols = !SSLv2,!SSLv3" postconf -e "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "lmtp_tls_protocols = !SSLv2,!SSLv3" postconf -e "lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3" postconf -e "smtpd_tls_ciphers = medium" postconf -e "smtp_tls_ciphers = medium" postconf -e "smtpd_tls_eecdh_grade = strong" postconf -e "smtpd_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL" postconf -e "smtp_tls_exclude_ciphers = RC4 aNULL eNULL LOW 3DES MD5 EXP PSK SRP DSS ADH CAMELLIA SEED DES MEDIUM EXPORT aDSS kECDHe kECDHr kDHd kDHr IDEA RC2 aNULL" postconf -e "smtpd_tls_session_cache_database = btree:\${data_directory}/smtpd_scache" postconf -e "smtp_tls_session_cache_database = btree:\${data_directory}/smtp_scache" postconf -e "smtpd_tls_dh1024_param_file = \${config_directory}/dh2048.pem" postconf -e "smtpd_tls_dh512_param_file = \${config_directory}/dh512.pem" echo 'HIGH:!CAMELLIA' > /etc/pure-ftpd/conf/TLSCipherSuite cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/ssl/private/pure-ftpd.pem cat /etc/letsencrypt/live/$hostname/privkey.pem /etc/letsencrypt/live/$hostname/cert.pem > /etc/monit/monit.pem chmod 600 /etc/monit/monit.pem chmod 600 /etc/ssl/private/pure-ftpd.pem cd /etc/postfix umask 022 openssl dhparam -out dh512.tmp 512 && mv dh512.tmp dh512.pem openssl dhparam -out dh1024.tmp 1024 && mv dh1024.tmp dh1024.pem openssl dhparam -out dh2048.tmp 2048 && mv dh2048.tmp dh2048.pem chmod 644 dh512.pem dh1024.pem dh2048.pem openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048 /usr/sbin/service postfix reload /usr/sbin/service dovecot reload /usr/sbin/service pure-ftpd-mysql restart sure I would not really need that as admin, but if you setup a server for someone and he does some updates ... it's easier to tell him just to run the cron or simply wait ^^
