One certif. for multiple email domains?

Hi,
I successfully configured my ubuntu 18.04 server for a common certificate for multiple web domains configured for apache2. Nice job from Letsencrypt !
On the same, computer, I run an email server (postfix/dovecot) with again these multiple domains with matching names to serve, using postfixadmin to manage these virtual domains.
I would like to use a certificate (or several ?) to secure these services (imap and pop in secured mode). Shall I use the same certificates that were created for the web services ? I am confused as the common certificate was configured for e.g. mydomain.net and www.mydomain.net, and not explicitly for mail.mydomain.net. Or shall I force the use of these additional domain names at the command line ? (I presently use certbot --apache, which gracefully proposes the list of domains found in the sites-enabled directory.
Thanks for any clue.
Robert

1 Like

The certificate used in the mail services needs to include the hostname(s) which are used by the client. I.e., if the user types imap.example.com in their e-mail client for the IMAP server, you'll need to include imap.example.com in the certificates hostnames. The same goes for SMTP.

That however, is of course a choice you can make. The other option would be to let the users just type example.com in their e-mail client. However, I personally wouldn't do that, so I also wouldn't suggest that.

I would suggest using a separate certificate for your e-mail services. I think it should be possible to use the apache authentication plugin by entering the domain names manually on the command line. I just got myself a brand new certificate (sorry Let's Encrypt, forgot staging...) for a test domain by typing:

certbot certonly -a apache -d test.example.com

Even though there is no virtualhost for that hostname in my Apache configuration, by only using the apache authenticator in combination with certonly, it did verify my hostname. So this should be possible too:

certbot certonly -a apache -d imap.example.com -d smtp.example.com

Of course you'd need to install the certificate manually in Postfix and Dovecot.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.