use mail.domain.tld as pop3/imap/smpt server for each domain using Aliasdomains with same ssl cert

Discussion in 'Installation/Configuration' started by Emiio, Sep 19, 2020.

  1. Emiio

    Emiio New Member

    Hi, i followed this guide: the perfect debian 10 server with nginx:
    1. I have running: Securing ISPConfig 3.1 with a free let's encrypt ssl certificate.
    2. I have several domains, dns zones, sites and mail accounts configured.
    3. I have read that to use "mail.domain.tld" for each domain the "best/easy" way is creating a aliasdomains for each domain linking to main domain (created in point 1)
    4. I have created a aliasdomain like that
      1. domain: mail.domain.tld
      2. parent website: subdomain.vpsdomain.tld
      3. redirect path: blank
      4. auto-subdomain: none
      5. seo redirect: no redirect
      6. don't add to let's encrypt certificate: unchecked
      7. active: checked
    5. Problem: Configuring mail account on a client, if i put "mail.domain.tld" i received a certificate error. If i put "subdomain.vpsdomain.tld" run ok
    6. Notes:
      1. "subdomain.vpsdomain.tld" is the hostname provided by vps provider.
      2. "domain.tld" has dns record included mx -> mail.domain.tld
      3. is it neccesary create a dns zone for "subdomain.vpsdomain.tld" ?? i havent it
    I know that it is not a bug but a concept problem. Any help would be appreciated.

    Thank u
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I would not do this if you run this for clients, as they can see which domains are listed on the certificate and that's not too professional, and there is a limit of how many domains can be on a LE cert (I thought it was 100)

    If you still want to go on with this, can you look in your logs to see if the new certificate could be issued?
  3. Emiio

    Emiio New Member

    this is the log (1 warning talking about www):
    LE CERT OUTPUT: Expiry Date: 2020-12-18 09:25:08+00:00 (VALID: 89 days)
    LE CERT OUTPUT: Domains: xxx
    LE CERT OUTPUT: Serial Number: 3xxxxxxxxxxxxxxxxxxxxxx
    LE CERT OUTPUT: Certificate Name: xxx-0001
    LE CERT OUTPUT: Found the following matching certs:
    LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    exec: /optcertbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server  acme-v02.xx.xx/directory --rsa-key-size 4096 --email xxx@xxxxx --webroot-map '{"xxxxx":"/usr/local/ispconfig/interface/acme"}'
    2020-09-19 12:31
    LE version is 1.8.0, so using certificates command
    Let's Encrypt SSL Cert domains: --domains xxxx
    Create Let's Encrypt SSL Cert for: xxxx
    Could not verify domain www.xxxx, so excluding it from letsencrypt request.
    Verified domain xxxxx should be reachable for letsencrypt.
    safe_exec cmd: chattr +i '/var/www/clients/client1/web2' - return code: 0
    safe_exec cmd: setquota -T -u 'web2' 604800 604800 -a &> /dev/null - return code: 0
    safe_exec cmd: setquota -u 'web2' '0' '0' 0 0 -a &> /dev/null - return code: 0
    what's the best practices/easy for free? thank u
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Does www.xxxx exist in name service and does it point to your server?
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  6. Emiio

    Emiio New Member

    sorry, i cant quote because im new on forum.
    @Taleman : i have set subdomain to "none" on website created with hostname because it is not accesible and i wont use it.
    @Th0m : SANs: mail.domain.tld and subdomain.vpsdomain.tld

    green checks all. resolves to
    Server Type: xxxx
    The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
    The certificate was issued by Let's Encrypt.
    The certificate will expire in 88 days. Remind me
    The hostname ( is correctly listed in the certificate.

    Note: configuring pop3 in android with mail.domain.tld certicate error is: subject and hostname are not the same
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share what's in
    incrontab -e
    Emiio likes this.
  8. Emiio

    Emiio New Member

    /etc/letsencrypt/archive/$(hostname IN_ALL_EVENTS IN_MODIFY ./etc/init.d/
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Change $h(ostname to subdomain.vpsdomain.tld/ and run /etc/init.d/

    The variable doesn't work sadly, so replacing that will make sure the auto renewal works. You run the script to update it now, otherwise you would have to wait for a renewal or other change.

    @till this should be updated in the tutorial I think. I had the same issue and some others on the forum aswell.
    Emiio likes this.
  10. Emiio

    Emiio New Member

    thank u so much for ur help. it works!
    when i have opened incrontab -e file show that:
    "/etc/letsencrypt/archive/$(hostname     IN_ALL_EVENTS   IN_MODIFY ./etc/init.d/"
    i had put this line instead (removed hostname and IN_ALL_EVENTS):
    /etc/letsencrypt/archive/subdomain.vpsdomain.tld/   IN_MODIFY       ./etc/init.d/
    then, i execute /etc/init.d/ and all ok.

    @Th0m, u had talked that this is not a good practice. Could u give me an approach of best practice to learn?

    thank u so much!
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No problem :)

    This is how I run my own hosting:

    If clients have a email domain, they use above servers to connect to with their own credentials (for example [email protected]).

    As stated before, by adding every clientdomain to your certificate you get a huge cert, there is a limit, and if you view the cert details it will display all clientdomains to anyone. I don't think that's a good idea.

    I set up automail from Schaal-IT so if a user is setting up their own account, 9 out of 10 times they get the correct config automatically. You can view that plugin here:

    EDIT: example:
    for all clients, I have this in the DNS template:
    SRV|_autodiscover._tcp|0 443|0|86400

    I don't add a subdomain like mail, smtp, imap to the clients domain, so it is not even possible to use that as server name in their client.
    Emiio likes this.
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I got automail working with Thunderbird, but not with any other e-mail client I tried. Does your setup work with most e-mail clients? How is it done?
    Emiio likes this.
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It does work with Outlook for me, but not the latest version (2019) because they changed something and I thought @florian030 didn't have time to dive into it.

    I use the records for clientdomains that I posted before.
    Emiio likes this.

Share This Page