Mail Client und Zertifikate

@web4you

Quote from web4you

Do they have all to use the same entry as incomming and outgoing server?

Yes. Right now, your clients have to use the same FQDN in their mail client(s). See below for the reasons.

Quote from web4you

I like to have the customers domain name like imap.<customer.domain> and smtp.<customer.domain>. Will this also work with the next LetsEncrypt version?

No. To make this working as you want, this means that we should add for each customer domain, the following SANs (Subject Alternative Names) in the SSL certificate:

• imap.<domain.tld>
• smtp.<domain.tld>
• pop.<domain.tld>

For instance, if you have 40 domains, we should add 120 SANs in the SSL certificate. This is not viable for many reasons:

• The LetsEncrypt SSL certificates are limited up to 100 SANs.
• Each time a new domain would be added, the SSL certificate should be expanded (This would pose problems with the 'Per Registered Domain 'LetsEncrypt rate limit)
• Each time a domain would be deleted, the SSL certificate should be shrinked (This would pose problems with the 'Per Registered Domain' LetsEncrypt rate limit)

Another solution would be to use one SSL certificate per registered domain containing the imap, smtp and pop SANs but this means one IP per domain (Postfix doesn't support SNI). That solution is hard to implement and not viable for big hosting compagnies. Most of time, customers share the same IP. I doubt that if you have 400 domains, you'll have one IP for each of them...

Note: In near future, we will add imap, pop, smtp and ftp SANs in the SSL certificate but not for all domains. They will be added only for the server domain according Planned changes regarding DNS managements

See also

• https://letsencrypt.org/docs/rate-limits/
• https://lxadm.com/Postfix_and_multiple_SSL_certificates

@web4you

Quote from web4you

Now if i like to change this from web4you-server-02.web4you-gmbh.ch to web4you-gmbh.ch

web4you-gmbh.ch is a domain name, not an hostname. An hostname would be something like mail.web4you-gmbh.ch. There is no way atm to add another SAN. This will be fixed soon.

The letsencrypt CA is not recognized by thunderbird. At least not in my setup.
Install the CA as a trusted CA in your clients and then everything will work...

I've read the whole thread, and as I can see you still continue to use web4you-gmbh.ch as the CN for your certificate (in https at least).
As it was told you, at present LetsEncrypt DOES NOT SUPPORT WILDCARD CERTIFICATES. A wildcard certificate is the one you need in order to use your domain name as CN, so it should be something like *.web4you-gmbh.ch

So now to resume:
Does LetsEncrypt work correctly in your Thunderbird setup ? In your customer's setup ?
Does LetsEncrypt work correctly in your FireFox/IE/Edge/Chrome/Opera setup ? And in your customer's setup ?
Is the LetsEncrypt CA present in your list of Trusted Certification Authorities ?
Which is the problem now that you changed your CN, now that you upgraded i-MSCP and LetsEncrypt Plugin ?

@web4you

Quote from web4you

This is not the answer i need and not realy true.

Please, calm down. Someone try to help you. You cannot answer in such a way.

[hr]

As I can see, your BASE_SERVER_VHOST is still set with web4you-gmbh.ch. This explain why the CN that you see in Firefox is web4you-gmbh.ch. Don't forget that the SSL certificate for the services and the SSL certificate for the control panel are not the same. To resume, I see nothing wrong here.

Result of the following command please: