SSL for postfix. Not possible to use other than hostname ssl.

Discussion in 'Installation/Configuration' started by ozgurerdogan, Apr 11, 2020.

  1. ozgurerdogan

    ozgurerdogan Member

    I setup ssl for server.domain.com hostname for ispconfig itself and created a vhost with hostname mail.domain.com and also set ssl for that hostname for mail ssl.
    And in postfix I pointed to this ssl path:
    Code:
    # TLS parameters
    smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
    myhostname = mail.domain.com
    And was able to confirm tls https://ssl-tools.net/mailservers/ here.

    Problem is Thunderbird setup runs fine on first mail account setup (can send and recieve mails with ssl enabled ports 465 - 995) but if I restart Thunderbird, it ask for ssl exception popup and there it points ssl is pointing to server.domain.com NOT mail.domain.com

    Do I really have to use server.domain.com for incoming and outgoing servers ?

    When thunderbird show popup for securtiy alert, there I see mail.domain.com:995 and if I remove :995 it can validate ssl fine.

    I setup mail on my myEmail app on mobile device. And it works fine. It could be related to Thunderbird?
     
    Last edited: Apr 11, 2020
  2. ozgurerdogan

    ozgurerdogan Member

    Ok I had to set cert path in dovecot.conf
    ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/mail.domain.com/privkey.pem

    So far seem fines.
     
    Th0m likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

  4. ozgurerdogan

    ozgurerdogan Member

    Thank you for warning. Is that ok if I set:

    Code:
    ln -s /etc/letsencrypt/live/mail.domain.com/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/mail.domain.com/privkey.pem smtpd.key
    instead of:
    Code:
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
    Also I think of setting smtpd_tls_security_level = may to encrypt Would it get overwritten next update?
     
  5. ozgurerdogan

    ozgurerdogan Member

    Also postfix and dovecot did not like it. Dovecot service does not start and mail client make timeout error.
    I want to be able to use mail.domain.com ssl hostname for mail clients. This server is only holding one web site.
     
    Last edited: Apr 11, 2020
  6. ozgurerdogan

    ozgurerdogan Member

    Ok my bad. It is running fine. One more question, I want to change
    smtpd_tls_security_level = encrypt
    Will it also get lost with update? How to protect it ?
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

Share This Page