Setup SSL (Let's Encrypt) on mail client with customer subdomain

  • Hi everybody,

    I use the plugin Let's Encrypt for customers SSL Cert.
    I want to offer mail with SSL connection for every customer which have activated the Let's Encrypt Cert. Normaly every domain have a subdomain (i.e. for mx configured.

    For example:

    So if I setup such a mail account on my local mail client, I get a certification error, which say that the connection maybe is insecure.
    For IMAP and SMTP server we would like to use and not the host.
    I'm not sure how to do that. I've tried to create a domain alias & subdomain with a certificate but nothing works.

    Is it possible do it like I want, or did I have to use the host name ?

    My Infos:

  • No, it's not possible by default because the SSL certificate used by the SMTP and IMAP/POP servers doesn't have these subdomains as alternative subject names, and because the SMTP server (Postfix) doesn't make possible to use one SSL certificate per virtual domain (SNI). This is by design. Normally, your customers should access the SMTP and IMAP/POP servers using the name that is present in the SSL certificate, that is, the server hostname (FQHN). The mail.<domain.tld> (and some others) records which are added in the DNS zone files are keept for historical reasons and will be maybe removed in near future. Those are pretty useless according the given above explanation, at least for secure connections.

    If you really want make your customers able to access the SMTP and IMAP/POP servers using the mail.<domain.tld> subdomains, you need to add them to the i-MSCP services SSL certificate. If you use the i-MSCP LetsEncrypt plugin, you can do that at the Let'sEncrypt administrator level (You need to enable Let's Encrypt for the services (FTP, SMTP, IMAP/POP) and add all mail.<domain.tld> subdomains as subject alternative names of the SSL certificate). Bear in mind that you can add up to 100 alternative subject names to a Let's Encrypt SSL certificate. Don't also forgot that there is an SSL certificate isuance limit by week when using Let's Encrypt authority.

    See also the accepted answer in the following link for the details about why it's not possible AS THIS:…ains-with-postfix-and-ssl

    Note that i-MSCP doesn't support (and we neither plan to support) multiple Postfix instances. It would be tedious to have one Postfix instance for each domain in the context of a shared hosting environment where several services (FTP, HTTP, SMTP, IMAP/POP...) are involved, and where often, the same address IP is assigned to several customers.