A little advice. Mail only servers

garfield · May 8, 2019, 3:31pm

So some background to this before I list the information required - sorry it's quite a long one.

1 : I host all my own
2 : I operate 2 domains on a single server (Apache2 - Virtuals)
3 : I operate an Email server - again it hosts the same 2 domains - I do not and will not run a web server on this box

I have successfully sorted the web server - no issues.

I tried to copy the certs from the web server - failed

I generated a temporary web site on the mail server and generated certs for the domains - this worked fine - BUT - the e-mail clients that I use reject these certificates as not belonging to the domain - which they clearly do - the mail client is including the mail. in the comparison I think. So I tried to generate a 'server specific' and what follows is the result. Bear in mind my public DNS records are routed internally to a destination - they are not 1:1 address's - the internal network has its own 'private' network and domain to which all servers belong, this has both DHCP and DNS functional (yes another domain but we don't expose it publicly currently - number36.xyz). I am not a fan of the hosts file hacking that seems prevalent although I suspect this is because most of those using it aren't running any kind of name server.

I tried a cert with subdomains on the main site, this didn't work either, the clients seemed unable to get past the top tier domain - although mail.theplasticshed.co.uk was in the list of subdomains it was ignored.

I then tried to do a wildcard cert, this didn't work either - the email clients still bitched about it, but I'd prefer something that can be auto-renewed anyhow.

So - how do I generate a certificate (non wildcard because the email clients won't accept that either) - the clients are Thunderbird and TheBat (the latter is preferred for security reasons).

The email servers public name is mail, its internal name is mail .... it handles mail for both domains via postfix and dovecot (and a few other bits n pieces) ... well it will if I ever get things sorted (things are currently hosted in a pair of Kerio boxes but they're well past their sell by and I want to start utilising DKIM)

The error shown in Thunderbird isn't easy to show but basically the 'add security exception' pops up and states that the certificate belongs to a different site - the Server location is shown as mail.theplasticshed.co.uk:993 The certificate viewer clearly shows that the common name for issued to is theplasticshed.co.uk

mail is not a subdomain it is a device name - the web box works just fine this way -i.e. no www part, what am I missing here ?

The error that is shown by TheBat is

08/05/2019, 15:20:39: IMAP - Certificate S/N: 04B3DC9CA8625F7E57EC5D0291E567243529, algorithm: RSA (2048 bits), issued from 5/8/2019 1:10:11 PM to 8/6/2019 1:10:11 PM, for 1 host(s): theplasticshed.co.uk.
08/05/2019, 15:20:39: IMAP - Owner: theplasticshed.co.uk.
08/05/2019, 15:20:39: IMAP - Issuer: US, Let's Encrypt, Let's Encrypt Authority X3.
!08/05/2019, 15:20:39: IMAP - TLS handshake failure. The server host name ("xx.xxx.xx.232") does not match the certificate.

Well of course it doesn't because that's not a host name !!!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: theplasticshed.co.uk

I ran this command: sudo certbot certonly -d mail.theplasticshed.co.uk

It produced this output:How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.theplasticshed.co.uk
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 19.04

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don't know): Sure can

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

danb35 · May 8, 2019, 4:26pm

The client in question appears to be configured to connect to an IP address, which is never going to work with a trusted cert.

schoen · May 8, 2019, 4:29pm

I agree with @danb35 that the specific problem with that MUA probably isn't going to be fixed by changing the certificate, but I also wanted to point out that it looks like you're running this on your web server rather than on your mail server. If your DNS record for your mail server isn't pointed at your web server, your web server won't be able to get a certificate for your mail server this way. You would have to run Certbot directly on the mail server instead.

The reason that I think this is what you're doing here is that Certbot detected Apache installed on the system that you ran it on, but it seems that you said that the mail server doesn't run Apache at all.

garfield · May 17, 2019, 6:28pm

I finally got this working but I wasn’t asking it to connect to an IP address - that’s why it was more than a little frustrating. I will never run our mail servers on the web server - that’s just begging to become a spam bot - been there got the T shirt. Our DNS are correct - I’m moving over from a Kerio system that has been running the last 6 years so no change to DNS should be required - just got tired of being raped.

I had no choice but to spin up apache on the mail server, I’ll leave it there for renewals and just disable it when not needed. If you try this standalone it trys resolving the name as you would expect so this requires messing around with DNS - and in any event it still needs a web server of some sort.

But why should one be forced into running a website anywhere - web sites aren’t the only things that need certificates but it works so I’ll live with it.

Any how I built a virtual web for each ‘mail’ server using the mail server name. Retrieved a cert with the appropriate name (couldn’t do a combined cert it wouldn’t work - mail clients rejected it).

This may be something to do with mail client behaviour but a wildcard cert wouldn’t work, nor would any cert with multiple domains.

So I now have a fully functional mail server on a single box that’s hosting 3 domains with postfix / dovecot / Sieve / ClamAV and OpenDKIM that passes all mail client cert requirements and those of sources like Google. Yes I know it is a little all eggs in one basket but the server is ‘virtual’ and can be replaced in minutes - and then re synchronises anything it doesn’t have with clients.

danb35 · May 17, 2019, 9:23pm

You aren't; DNS validation works perfectly fine.

garfield · May 17, 2019, 9:38pm

I do find this a bit confusing. I used DNS on the web sites - no matter what I did the file I added was never found but I don’t know if this is down to Joomla or some other restriction.

Can DNS be used for auto renew once established ? - guess I need to read a little more and have a play on a ‘test’ box.

danb35 · May 17, 2019, 9:56pm

There is no file to add for DNS validation--it looks for DNS records.

Yes, if your DNS provider has an API that allows for automated updates, and your ACME client supports that API. AFAIK, the client with the best DNS support is acme.sh.

system · June 16, 2019, 9:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.