Mail Certificate smtp/imap problem

Hi folks,

I am back after awhile, everything has been working great but i have a issue although the Cert is working for Postfix and Dovecot and website the issue I have,

Hostname of the Mail server is mail i have 3 domains which all works on webmail but i have run into a problem with the Mobile phone apps and some Desktop clients because of the hostname is mail but when connecting to the mail server via smtp and imap it uses smtp.domain.co.uk as well as imap.domain.co.uk now that goes against the Cert i have,

Question is should i add entries for smtp.domain.co.uk, smtp.domain2.co.uk and so on and do the same for imap or just leave it?

Thanks.

Jack.

1 Like

If you want email clients to use those hostnames in their settings and expect them to use TLS (SSL/STARTSSL), then yes, you should add those hostnames to the certificate.

Alternative, you can instruct your users to use a different hostname in their email clients, one that is already included in the certificate. Often the different hostnames point to the same IP address anyway.

4 Likes

Hi,

Thanks for your message, What is the best way to add those to my existing certificate ?

Thanks.

Jack.

1 Like

You see i used this to create the Cert for the domains, What is the best way to add the other subdomains?

certbot certonly --cert-name mailcert --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 --post-hook "service postfix reload; service dovecot reload;" -d mail.domain1.com,mail.domain2.com,etc

Thanks.

Jack.

2 Likes

Just use the same command, but just with the expanded list of hostnames. Note that Certbot requires all hostnames you'd like to have included in the cert to be used in the -d option, not just the hostnames you'd want to add.

3 Likes

So the original,

certbot certonly --cert-name mailcert --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 --post-hook "service postfix reload; service dovecot reload;" -d mail.domain.com,mail.domain2.com,mail.domain3.com

extra sumdomains i want to add, is this correct?

certbot certonly --cert-name mailcert --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 --post-hook "service postfix reload; service dovecot reload;" -d mail.domain.com,mail.domain2.com,mail.domain3.com,smtp.domain.com,smtp.domain2.com,smtp.domain3.com,imap.domain.com,imapdomain2.com,imap.domain3.com

Thanks.

Jack.

2 Likes

You should probably be using a --deploy-hook instead of a --post-hook so that postfix and dovcot reload after every successful renewal rather than after every attempted renewal. It is also wise to enclose the domain name list in double quotes (-d "list").

4 Likes

Would it be possible to add wildcard certs for the domains instead ? or should i leave it as it is and just add the new subdomains?

1 Like

You could, but it's generally inadvisable to use wildcard certificates if you don't specifically need to do so for several reasons. Additionally, it is usually advisable to only include a domain name and any subdomain names that share the domain name's webroot directory on a single certificate. This prevents cascaded failure should one of the domain names not renew successfully and avoids webserver configuration confusion where not all domain names reside within a single server block.

3 Likes

Okay cool i shall just add the new subdomains then. This is what i have,

certbot certonly --cert-name mailcert --dns-digitalocean --dns-digitalocean-credentials ~/.secrets/certbot/digitalocean.ini --dns-digitalocean-propagation-seconds 60 --post-hook "service postfix reload; service dovecot reload;" -d mail.domain.com,mail.domain2.com,mail.domain3.com,smtp.domain.com,smtp.domain2.com,smtp.domain3.com,imap.domain.com,imapdomain2.com,imap.domain3.com

How does this look? you mentioned about ( -d "list" ) for the new domains or old ?

Thanks.

Jack.

1 Like

Are domain.com and domain2.com aliases of the same website content? Did you miss the part about using --deploy-hook?

1 Like

Hi,

No. Domain 1 and 2 are different domains. i have 3 domains i am using on this SMTP Server, one is my personal email and the other is for my business and 3rd domain is my parents domain for there business

1 Like

That path doesn't scale well.
I'd opt for a much shorter path: Use only one name for such services.
[Google does that with Gmail and millions are satisfied]

3 Likes

Hi,

Thanks for your replies. I actually sorted the problem out by using Exchange/ActiveSync which works under mail.domain1 and so on, will migrate all clients over to Exchange on this Server. the Certs I have will do the job with Exchange.

Thanks for all your replies.

Jack.

2 Likes

On my mailserver, I just use a single hostname to avoid this specific problem. It's something like mail.example.com and serves https, imap, imaps, pop3, pop3s, smtp, and smtps using one cert for all.

All those services have different default ports and don't actually need a separate fqdn each.

3 Likes

Very true.
Unique FQDNs are only required when you need them to resolve to uniquely different IPs.
One IP can be just one FQDN [it can be more - but why complicate the simple?].

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.