Mail Client und Zertifikate

  • @web4you


    Do they have all to use the same entry as incomming and outgoing server?

    Yes. Right now, your clients have to use the same FQDN in their mail client(s). See below for the reasons.


    I like to have the customers domain name like imap.<customer.domain> and smtp.<customer.domain>. Will this also work with the next LetsEncrypt version?


    No. To make this working as you want, this means that we should add for each customer domain, the following SANs (Subject Alternative Names) in the SSL certificate:

    • imap.<domain.tld>
    • smtp.<domain.tld>
    • pop.<domain.tld>

    For instance, if you have 40 domains, we should add 120 SANs in the SSL certificate. This is not viable for many reasons:

    • The LetsEncrypt SSL certificates are limited up to 100 SANs.
    • Each time a new domain would be added, the SSL certificate should be expanded (This would pose problems with the 'Per Registered Domain 'LetsEncrypt rate limit)
    • Each time a domain would be deleted, the SSL certificate should be shrinked (This would pose problems with the 'Per Registered Domain' LetsEncrypt rate limit)

    Another solution would be to use one SSL certificate per registered domain containing the imap, smtp and pop SANs but this means one IP per domain (Postfix doesn't support SNI). That solution is hard to implement and not viable for big hosting compagnies. Most of time, customers share the same IP. I doubt that if you have 400 domains, you'll have one IP for each of them...


    Note: In near future, we will add imap, pop, smtp and ftp SANs in the SSL certificate but not for all domains. They will be added only for the server domain according Planned changes regarding DNS managements


    See also

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • hm - ok. So i think the easyest way to work is to tell all customers to change the incomming and outgoing server. Now if i like to change this from web4you-server-02.web4you-gmbh.ch to web4you-gmbh.ch how do i change this the best way? So i will get the right Certs for it also? Or should i better wait for 1.4.0?

    I-MSCP 1.5.3 - Debian 9 Stretch

  • @web4you


    Now if i like to change this from web4you-server-02.web4you-gmbh.ch to web4you-gmbh.ch


    web4you-gmbh.ch is a domain name, not an hostname. An hostname would be something like mail.web4you-gmbh.ch. There is no way atm to add another SAN. This will be fixed soon.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Ok - after a while i installed now the latest i-mscp (1.3.8) and LetsEncrypt (2.0.1)


    There must be something in my brain i dont understand or there is something not correct installed.


    1. Thunderbird - all certs are made for web4you-server-02.web4you-gmbh.ch see attachement Nr 1.


    2. Firefox - this cert is made for web4you-gmbh.ch see attachement Nr.2


    3. My postconf looks like attachement Nr. 3.


    tnx

  • The letsencrypt CA is not recognized by thunderbird. At least not in my setup.
    Install the CA as a trusted CA in your clients and then everything will work...

  • The letsencrypt CA is not recognized by thunderbird. At least not in my setup.
    Install the CA as a trusted CA in your clients and then everything will work...

    Tis is not the answer i need and not realy true. When i use web4you-server-02.web4you-gmbh.ch as imap and smtp in-/output server thunderbird works correctly. Read the hole thread.

    I-MSCP 1.5.3 - Debian 9 Stretch

  • I've read the whole thread, and as I can see you still continue to use web4you-gmbh.ch as the CN for your certificate (in https at least).
    As it was told you, at present LetsEncrypt DOES NOT SUPPORT WILDCARD CERTIFICATES. A wildcard certificate is the one you need in order to use your domain name as CN, so it should be something like *.web4you-gmbh.ch


    So now to resume:
    Does LetsEncrypt work correctly in your Thunderbird setup ? In your customer's setup ?
    Does LetsEncrypt work correctly in your FireFox/IE/Edge/Chrome/Opera setup ? And in your customer's setup ?
    Is the LetsEncrypt CA present in your list of Trusted Certification Authorities ?
    Which is the problem now that you changed your CN, now that you upgraded i-MSCP and LetsEncrypt Plugin ?

  • @web4you



    This is not the answer i need and not realy true.


    Please, calm down. Someone try to help you. You cannot answer in such a way.



    [hr]


    As I can see, your BASE_SERVER_VHOST is still set with web4you-gmbh.ch. This explain why the CN that you see in Firefox is web4you-gmbh.ch. Don't forget that the SSL certificate for the services and the SSL certificate for the control panel are not the same. To resume, I see nothing wrong here.


    Result of the following command please:

    Code
    1. # cat /etc/imscp/imscp.conf | grep 'SERVER_HOSTNAME\|BASE_SERVER_VHOST'

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @web4you



    Code
    1. # cat /etc/imscp/imscp.conf | grep 'SERVER_HOSTNAME\|BASE_SERVER_VHOST'


    root@web4you-server-02:/home/juerg# cat /etc/imscp/imscp.conf | grep 'SERVER_HOSTNAME\|BASE_SERVER_VHOST'
    SERVER_HOSTNAME = web4you-server-02.web4you-gmbh.ch
    BASE_SERVER_VHOST = admin.web4you-server-02.web4you-gmbh.ch
    BASE_SERVER_VHOST_PREFIX = https://
    BASE_SERVER_VHOST_HTTP_PORT = 8080
    BASE_SERVER_VHOST_HTTPS_PORT = 4443
    root@web4you-server-02:/home/juerg#

    I-MSCP 1.5.3 - Debian 9 Stretch

  • Ok now - only one simple question - am i the ONLY one with this problem here? i cant believe it sorry.

    I-MSCP 1.5.3 - Debian 9 Stretch