Lets say I bought a cetificate for my maindomain.tld, I installed ISPConfig on the server and configured all the serverices which support TSL with that certificate. I also disabled plain text logins on all services and I only allow connections using ssl/tls becase plain text is bad(sniffing for start). Now, if I add one client with the domain clientdomain.tld, what would be the correct imap, pop and smtp server names(incoming and outgoing)? Without a certificate client could use: pop.clientdomain.tld, imap.clientdomain.tld and smtp.clientdomain.tld. WITH certificate if client use those names there would be a warning on their first mailclient setup that certificate is invalid. To circumvent this, client should use pop.maindomain.tld, imap.maindomain.tld and smtp.maindomain.tld and he would not see any warnings regarding certificate. So what is common practice? I know hosting companies use pop.clientdomain.tld and smtp.clientdomain.tld for clients but in a case when a certificate is used, I see no other option than to say to all the clients that they must use this pop.maindomain.tld for incoming and smtp.maindomain.tld for outgoing if I don't want them to see warnings regarding certificate not belonging to their domains... Buying multiple wildcard domain certificates is not an option. So, what do you do in practice? Wouldn't clients be put off if I told them to use pop,imap and smtp of mydomain because they are probably expecting pop,imap and smtp with their domain names in it...
If every clientdomain has an own ip, you can use certificates for each domain. otherwise the ssl-cert is only valid for maindomain. Your clients need to use maindomain with ssl.
I see. But that would be too hard to maintain in a shared hosting environment, especially adding more and more ips as the number of domains grow. But those are the limits of services underlaying, nothing to do with hosting panels... I don't know if client connects to smpt.clientdomain.tld with cert for maindomain, would he be able to connect at all? I presume he would, just the anoying warning of invalid certificate on first mail setup in his mail clinet would show. Then he would just have to click "Accept certificate" and than he would connect and use the mail.
Usually a wrong certificate must accept only once. But why don´t give maindomain to any user who want´s to use ssl?
That is an option. But my intention is to disable plain text auth on dovecot,postfix and ftp, for better security. If someone sniffs client password when he connects using plain text auth on mail services(port 25, 143 and 110) then he could do damage to server by sending lots of spam(which would be dkim signed) and putting server on RBL so other clients could not send mail until the ip is unblocked... And if we consider new clients that are coming from other hosting companies, I bet most of them use plain text auth with their clientdomain name in pop,imap and smtp. So the esiest for them would be to use their clientdomain name with cert of maindomain so they would only have to change ssl settings in their mail client...But maybe I'm complicating too much, I whanted to know what is the best practice. Maybe I'll just tell them to use maindomain with ssl and that's it as the server do not accept plaintext auth because it's an security issue
I guess all larger ISP's will hand out a subdomain of their company domain for email logins. A subdomain of the customer domain is only used when a customer ahs its own dedicated server and therefor its own IP address.
maybe this but outside ISPconfig. http://wiki2.dovecot.org/SSL/Doveco..._TLS_SNI_.28Server_Name_Indication.29_support
This would be hard to maintain, just imagine few hundred domains on hosting server and doing manual work in cli for adding and removing that as they come and go... It could be done but better on creation in panel. Dovecot supports SNI, there is no plan for postfix to implement SNI http://www.postfix.org/TLS_README.html "...There are no plans to implement SNI in the Postfix SMTP server..." I think I'll let them use servers maindomain with ssl for incoming and outgoing server settings...
And one mor thing why it makes not much sense to let the users use their own domains (at least if they are no larger companies): You would have to buy either a wildcard ssl cert for each user domain, which is quite expensive, or you would have to buy a own ssl cert for smtp, imap and maybe pop3 subdomain.
Yup. And in the second option buy additional ip for server per certificate because smtp doesn't support SNI... Now try explain that to customers when they ask why cannot I have my own domain in imap,smtp names Because it overcomplicates thing for just having your name, everything else is the same An regarding larger company, I would allways recommend that they use VPS or Dedi just for themselves
Thats easy. Just let them the choice, use your domain for free or their own domain with own IP and own ssl cert for additional 15 USD / month
I have a small number of hosted domains, and each uses it's own 'mail.hosteddomain.tld' in the mail client setup. Everything is working, using TLS with mandatory authentication. Since I'm using a self-signed certificate at the moment, each client has to manually accept the Certificate for my mail server. (On an iPhone, this is a once-off action, in Outlook 2007 it's required each time I run it [But I have in the past installed the certificate into Outlook, but that was a bit of a pain]). After reading this thread, I checked the certificate information that's being shown to the clients, and it's the same certificate in all cases for all domains. In the SMTP log file, for all these hosted domains, my server announces its EHLO with the 'hostname.maindomain.tld' address. I have A, MX, and SPF records for each domain, and a PTR for my maindomain.tld. I've checked with various ISPs (including gmail & hotmail) and my mail is successfully received without being marked as spam. So, I get the impression that all I need is a CA signed certificate for the maindomain.tld and all my hosts will be looked after. Is this correct? Cheers, Nap
If you buy a CA signed certificate for main domain to just replace that self signed of yours, the clients are still gonna see the warning becase the certificate is just for the main domain. To stop the nagging about wrong certificate, you can: 1. buy a wildcard certificate for all domains you are hosting(I wouldn't do that) or 2. buy certificate per domain but postfix doesn't support SNI so you should buy an extra ip per domain(I wouldn't do this also) or 3. just let them use smtp and imap of main domain which has a CA signed certificate - smtp.maindomain.tls and mail.maindomain.tls(or imap.maindomain.tls or pop.mainfomain.tls) - that is what they will use in their mail clients...
1) But their customers and contacts will be able to send mail to their particular domain names? 2) The clients will be able to send mail using their domains? Cheers, Nap
Yes, off course. the domain that is used to access a imap or smtp server i not related to the sender or receiver domain of emails.
Well, I'm not sure anymore... maindomani has ssl cert. On cpanel I just tried connecting to mydomain with starttls and thunderbird doesn't connect. I can only connect to imap, pop, smtp and not to imaps, pops and smtp with startts if I use mail.mydomain.tld. If I use mail.maindoman.tld it connects. The mydomain.tld can only be used when connecting insecurely, without ssl, then it works. Maybe this is only cpanel related, as it configures all the services and a lot of other nonstandard bloated stuff, I don't know... Omg what that panel do to OS underneath, sysadmin who admins that must be totally out of his nerves.
OK, wrong said, it works. So yes everything will work but you will have a nagging wrong certificate on first connection when using userdomain.tld for incoming and outgoing with certificate bought for maindomain.tld.
