The above statement is misleading. What ISPConfig 3.2 does NOT do when creating a website domain.com and a corresponding email website mail.domain.com, is to make the corresponding Let'sEncrypt certificates available to postfix and dovecot. As a result, when configuring a client mailer for the address [email protected], it is impossible to specify mail.domain.com or domain.com as the server, at it will generate an SSL error, resulting in a block by most antivirus systems, or an iPhone. Sadly, when configuring the client [email protected], mail.domain.com and domain.com, in a mailer, these are the servers searched by default by the configuration GUI, be it on Thunderbird or an iPhone. This makes an ISPConfig mail server seriously non standard. A solution is obviously to create a symbolic link in the dovecot and postfix configuration files, towards the Let'sEcrypt SSL certificates known to the Apache2 vhost for domain.com and mail.domain.com. But ISPConfig does not provide a way to do that in its GUI (it would be a very useful enhancement). I have not been able to find a good tutorial on how to do this via command lines. Is there one ? [using ISPConfig 3.2 / Debian 12]
Not much true about what you're stating here. Beginning with which servernames are being used by default. Servernames are never guessed but looked up in your domain settings. Beginning with the domains dns records. So if you set-up the dns records and autodiscover / autoconfig settings for your domain properly almost ALL clients can find the correct servername to use and configure the account, including account type. With a proper set-up you can even prioritize protocols ( imap(s) over pop(s) and submit over smtp(s) for example ) and TLS/SSL/non. Most major clients, from outlook to thunderbird and ios and android, will honner these settings and configure an account automatically with the correct settings (provided the proper password is entered) or else ask for the correct servername to be entered. And recently I saw a post about dovecot (and postfix?) + sni. So you should even be able use servernames within the maildomain but I haven't checked that out myself yet.
Your statement is wrong in several ways. First, my post is not about creating websites for SSL certs. You cited a post from me about the system-wide SSL cert, which gets created automatically when you install ISPconfig (which is not the SSL cert of a website), and then claim you created a website for that SSL cert, and this does not get used for other services. Of course, a website SSL cert does not affect the system-wide cert for the hostname; it's something completely different and unrelated. So you talk here about a completely different topic. ISPConfig uses the standard setup that larger providers use, you probably know only small mail systems. No provider with hundreds or thousands of domains would use individual SSL certs for each mail domain as keeping them renewed and updated without failing the whole mail system for others users would be a nightmare. As @remkoh pointed out, there is no issue at all using a different server hostname for email, most mail systems do that. To use the SSL cert for a website, take a look here: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ But as mentioned already, its not needed and using such a setup would only make sense for very small systems with very few domains. Finally, do not hijack old threads on different topics. I moved your post to its own thread now.
For some reason I can't shake the feeling that the domain in question has a * record in it's dns. Not sure of course because the domain in question is not mentioned. But it could explain some things. For example it will bring autodiscover.domain.com to life if that record doesn't already exist, which can cause all sorts of mail related issues if not properly configured on the (web)server the * record points to. It's one of the main reasons to NEVER EVER use * records in your dns unless you have a real legitimate reason to do so. In most cases it's there because of unawareness, for lazy reasons or just plain lack of knowledge.
Ok. Yes, it is correct that I have a small server. I am currently trying to migrate it to ISPConfig with some difficulty. It so happens that all my current email clients are using their own domain name as the server name (actually mail.theirdomain.com) with TLS, a feature which was available/standard on the older server. If I change that, it will force them to rework their configudation. Not user-friendly... Therefore, I have developed a script that creates/refreshes the sni for dovecot and postfix, with all the existing domains/aliases that support SSL. It is tested and works. It's here below, for what it's worth. It might benefit some webmasters who are trying not to disturb their email users. Code: #!/bin/bash # # This scipt is designed to create/refresh the sni data of Dovecot and Postfix, so that # mail connections can be properly be accessed with SSL, using the domain itself # (or one of the subdomains e.g. mail.mydomain.com) as the server. # # It should be invoked after each domain/subdomain creation, and appended to the acme cronjob # to be executed after it, so that refreshes of the certificates flow through to Dovecot and # Postfix # # It has been designed and tested for a Debian2 / ISPConfig 3.2 system. No attempt has been # made to make it compatible with other configurations. Use or adapt at your own risks # # ------------------------------------------------------------------------------------------------- # # First, build a list of website files with symlink duplicates removed # echo echo Building domain list... unset web_dirlist dirlist=/var/www/clients/*/* for i in $dirlist do if [[ -L $i ]]; then # keep all symlinks if [[ ! $web_dirlist ]] then web_dirlist="$i" else web_dirlist="$web_dirlist $i" fi else # regular file or directory, not symlink # search for a symlink to same file for j in $dirlist do linkfound=false if [[ $i == $j ]]; then #self continue fi if [[ -L $j ]]; then target=`readlink -f $j` if [[ $i == $target ]]; then #there is a symlink for this file linkfound=true break fi fi done if [[ $linkfound == "false" ]]; then # no link for this file/directory, so we keep it in the list if [[ ! $web_dirlist ]] then web_dirlist="$i" else web_dirlist="$web_dirlist $i" fi fi fi done # printf "%s\n" $web_dirlist # DEBUG # # Now, for each website, discover what aliases are covered by the certificate # and store in array # echo Extracting URLs from certificate files and building Posix / Dovecot entries... rm -f domain_ssl.map rm -f dovecot.conf today=`date +"%A %d %B %Y at %H:%M"` echo "#" >> domain_ssl.map echo "# Posix sni map updated on $today" >> domain_ssl.map echo "#" >> domain_ssl.map echo "#" >> dovecot.conf echo "# Dovecot sni entries updated on $today" >> dovecot.conf echo "#" >> dovecot.conf for i in $web_dirlist do aliases=`openssl x509 -in $i/ssl/*.crt -text -noout -ext subjectAltName | tail -1 -` aliases=`echo $aliases | sed -e 's/DNS://g' -e 's/,//g'` # echo $i: # DEBUG # printf "%s\n" $aliases # DEBUG # echo # DEBUG # # Now, for each alias, create a postfix entry and a dovecot entry # for j in $aliases do # prepare postfix data echo $j $i/ssl/*.key $i/ssl/*crt >> domain_ssl.map # prepare dovecot data crtfile=`echo $i/ssl/*crt` keyfile=`echo $i/ssl/*key` echo "local_name $j {" >> dovecot.conf echo " ssl_cert=<$crtfile" >> dovecot.conf echo " ssl_key=<$keyfile" >> dovecot.conf echo "}" >> dovecot.conf done done echo Installing postfix data... grep sni /etc/postfix/main.cf > /dev/null if [[ $? != 0 ]]; then echo sni_map missing in main.conf. appending... echo tls_server_sni_maps = hash:/etc/postfix/domain_ssl.map >> /etc/postfix/main.cf fi cp domain_ssl.map /etc/postfix postmap -F hash:/etc/postfix/domain_ssl.map && systemctl restart postfix echo Installing Dovecot data... # # This is more tricky, because if there are already some configuration lines in the # custom dovecot donf file, we have to preserve them # # Therefore, we put our stuff at the end of the file (or replace it there) with a warning # to not add custom lines below it # # This requires a temporary file # tempfile=".dovecot.conf.tmp" > $tempfile dovecotconf="/etc/dovecot/conf.d/99-ispconfig-custom-config.conf" snibanner="#------------------------------- BEGIN OF SNI SECTION ----------------------------------" if [[ ! -f $dovecotconf ]]; then echo creating dovecot custom configuration file... > $dovecotconf fi # # Are we already in the file ? # myline=`grep -n "$snibanner" $dovecotconf` if [[ $? == 0 ]]; then # We are in there already. We need to copy the lines before ours, # if any, before we can append # echo already there : $myline # DEBUG linenum=${myline%%:*} # this right-trims the variable by the pattern ':*', leaving only the first word echo my line number is $linenum if [[ $linenum > 1 ]]; then # there are lines befor us let lines=$linenum-1 echo transferring $lines existing lines in custom dovecot conf file head -$lines $dovecotconf >> $tempfile fi fi # # now append our stuff # echo "$snibanner" >> $tempfile echo "#" >> $tempfile echo "# WARNING : Locate all your custom settings above this section." >> $tempfile echo "# This section runs until the end of the file and it is overwritten" >> $tempfile echo "# each time an update of the server's SSL certificates is performed" >> $tempfile echo "#" >> $tempfile echo "$sniwarning" >> $tempfile cat dovecot.conf >> $tempfile mv $tempfile $dovecotconf && systemctl restart dovecot
