Hello,
i already setup ssl certificate for my main server.
Now it is possible to use that server for smtp/pop3/imap with SSL everything is fine.
Is it possible for a customer to add ssl for his own domain ? I know that
www is possible and it is working, but i am interrested in postfix ssl too so he
has his own smtp/pop3/imap domain ssl.
postfix ssl different domains
- sanitariu
- Closed
- Thread is marked as Resolved.
-
-
Hello ;
This is not possible with i-MSCP out-of-box. This is possible by changing configuration (postfix...) manually but this require to assign one IP per domain.
BTW: Google is your friend.
-
-
Thanks i know the manual ways.
1. combined ssl which is expensive
2. separate ip and manual postfixI hope someday to see option 2 in the i-mscp
-
I think i noticed a small bug which is related to separate ssl IP.
When we assign different ip for some domain our name server still keeps main ip for hosts
like mail,imap,pop,pop3 which is wrong i think.
We assign different IP not the same it means all services must listen on the new one.
I expect pinging mail.mydomain.com to return the new assigned ip.
There are some files we must touch for these to work.
bind config, dovecot/courrier, master.conf -
-
This is not a bug in the current implementation.
-
It is possible but i can not understand the idea to have different IP if my mail server still points to
the main one and the most bad thing is that i can not change normally the ip of host - mail.domain.com.
IP is useful only for web but the most useful will be different mail server ip on shared platform.
Can save some domains from spam and other good stuff and have ssl different client certificates per domain.
I already did that but manually and i do not like it. -
-
Well, current mail implementation doesn't involve one IP per domain. Therefore, a single IP is used for the mailhost and so on. This explains why in the dns zone file, the smtp, pop and imap records, all point to the same IP.
You can easily change that by editing the /etc/imscp/bind/parts/db.tpl template
For instance:
Code- $TTL 3H$ORIGIN {DOMAIN_NAME}.@ IN SOA ns1.{DOMAIN_NAME}. hostmaster.{DOMAIN_NAME}. ({TIMESTAMP}; Serial3H; Refresh1H; Retry2W; Expire1H; Minimum TTL); dmn NS entry BEGIN@IN NS ns{NS_NUMBER}; dmn NS entry ENDING@IN {IP_TYPE} {DOMAIN_IP}; dmn NS A entry BEGINns{NS_NUMBER} IN {NS_IP_TYPE} {NS_IP}; dmn NS A entry ENDINGwwwIN CNAME @ftp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry BEGIN@IN MX 10 mail@IN TXT "v=spf1 a mx ~all"mail IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}imap IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}popIN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}pop3 IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}relay IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}smtp IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}; dmn MAIL entry ENDING; sub [{SUBDOMAIN_NAME}] entry BEGIN; sub [{SUBDOMAIN_NAME}] entry ENDING$ORIGIN {DOMAIN_NAME}.; custom DNS entries BEGIN; custom DNS entries ENDING; ctm als entries BEGIN; ctm als entries ENDING
Should be something like:Code- $TTL 3H$ORIGIN {DOMAIN_NAME}.@ IN SOA ns1.{DOMAIN_NAME}. hostmaster.{DOMAIN_NAME}. ({TIMESTAMP}; Serial3H; Refresh1H; Retry2W; Expire1H; Minimum TTL); dmn NS entry BEGIN@IN NS ns{NS_NUMBER}; dmn NS entry ENDING@IN {IP_TYPE} {DOMAIN_IP}; dmn NS A entry BEGINns{NS_NUMBER} IN {NS_IP_TYPE} {NS_IP}; dmn NS A entry ENDINGwwwIN CNAME @ftp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry BEGIN@IN MX 10 mail@IN TXT "v=spf1 a mx ~all"mail IN {IP_TYPE {DOMAIN_IP}imap IN {IP_TYPE} {DOMAIN_IP}popIN {IP_TYPE {DOMAIN_IP}pop3 IN {IP_TYPE {DOMAIN_IP}relay IN {IP_TYPE} {DOMAIN_IP}smtp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry ENDING; sub [{SUBDOMAIN_NAME}] entry BEGIN; sub [{SUBDOMAIN_NAME}] entry ENDING$ORIGIN {DOMAIN_NAME}.; custom DNS entries BEGIN; custom DNS entries ENDING; ctm als entries BEGIN; ctm als entries ENDING
Then, once the changes are done, you could just run the setup script to regenerate configuration files (including DNS zone files):
Be aware that changes made in that template would be overriden on next i-MSCP update. Thus, I would recomment you to code a listener instead of editing the template directly. -
Thanks for your help !
My goal was actually to have different IP for mail ssl access via outlook/thunder or other.
We will have certificate host mismatch error and we can not use pop3/imap mail.mydomain.com server name.
Using my main one was not an option.
So for all this to work except dns fixes we need to fix dovecot.conf something like:after
------protocol imap {
mail_plugins = $mail_plugins imap_quota
}protocol pop3 {
pop3_uidl_format = %u-%v
}we add
---------local my_other_ip {
protocol imap {
ssl_cert = </etc/ssl/domain/domain.crt
ssl_key = </etc/ssl/domain/domain.key.nopass
}protocol pop3 {
ssl_cert = </etc/ssl/domain/domain.crt
ssl_key = </etc/ssl/domain/domain.key.nopass
}
}also in master.cf
we add something like:my_new_ip:smtp inet n - - - - smtpd
-o smtp_helo_name=mail.domain.com
-o smtpd_banner=mail.domain.commy_new_ip:smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/ssl/domain/domain.key.nopass
-o smtpd_tls_cert_file=/etc/ssl/domain/domain.crt
-o smtpd_tls_ca_file=/etc/ssl/domain/intermediate.ca
-o smtp_helo_name=mail.domain.com
-o smtpd_banner=mail.domain.commy_new_ip:submission inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/ssl/domain/domain.key.nopass
-o smtpd_tls_cert_file=/etc/ssl/domain/domain.crt
-o smtpd_tls_ca_file=/etc/ssl/domain/intermediate.ca
-o smtp_helo_name=mail.domain.com
-o smtpd_banner=mail.domain.comOf course you will have to get cert for domain.com.
-