Several mail domains on one server

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
webologix.com

I ran this command:
I host several mail domains and try to encrypt them all with the server’s FQDN ks307144.kimsufi.com
So I generated a certbot certificate for that FQDN and use the FQDN as the mail server in my MTA imap configurations.
I’ve tested an email xxx@webologix.com through https://www.checktls.com/TestReceiver and tried to read mails from different MTA

It produced this output:

Cert Hostname DOES NOT VERIFY (mail.webologix.com != ks307144.kimsufi.com DNS:ks307144.kimsufi.com)
So email is encrypted but the host is not verified

I succeed to get mails from thunderbird under laptop Kubutnu 19.10 where I can bypass certificate but under mobile Android client I get “the server doesn’t support TLS.”

My web server is (include version):
Debian GNU/Linux 9 (stretch)

The operating system my web server runs on is (include version):
Kubutnu 19.10

My hosting provider, if applicable, is:
OVH

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Used ISPCONFIG but not anymore

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Are mail servers automatically deducted as mail.domain.tld ?
In that case there is no way to certificate with server’s FQDN ?
How can I solve that ?

I remember that passed years, I used a global certificate including all domains and subdomains. But that is heavy and leads to remake the certificate each time a new domain is created.
What solution do you recommend ?

Thanks

1 Like

you can get a certificate for multiple domains. (without including every domain)

certbot [your options] -d mail.webologix.com -d  ks307144.kimsufi.com
1 Like

I don’t understand how that would work. I use POSTFIX / DOVECOT mail servers whitch both use same certificate /etc/postfix/smtpd.cert. If I use above generated certificate here, webologix domain MTA will work OK but won’t other domains as for instance example.com domain would look for mail.example.com name whitch is not part of the certificate.

Hi @kmc

you have to create one certificate with all required domain names.

So each time I wiil host a new mail domain on that server I will have to relauch the complete mails certbot command with all domains ?
There is no way to make it work with only the server’s FQDN and MTA just give that FQDN as imap and smtp mail server ?

May be, I don’t use Postfix/Dovecot. Check the documentation if it is possible to create such things like vHosts in mail servers with different certificates.

If this is possible, create one such vHost per domain name and one certificate with that domain name.

I finally added the mail.webologix.com to the mail server certificate using that command:

certbot --webroot -w /var/www/html certonly -d mail.webologix.com -d ks307144.kimsufi.com

Now the mail adresses on that domain pass the https://www.checktls.com/TestReceiver test and I can get mails with android MTA

Now, wanting to expand the certificate with a second domain that ways:

certbot --webroot -w /var/www/html certonly -d mail.webologix.com -d mail.mon-voyage-a-cuba.com -d ks307144.kimsufi.com
certbot --webroot -w /var/www/html certonly -d mail.webologix.com  -w /var/www/html certonly -d mail.mon-voyage-a-cuba.com -d ks307144.kimsufi.com

I get the error in both cases:

…Invalid response from http://mail.mon-voyage-a-cuba.com/fr/.well-known/acme-challenge

There is an answer with /fr/. I don’t think that will work.

This looks less like a LetsEncrypt issue and more like a Server Administration concern.

In the past, SMTP, IMAP/POP and Mail clients didn’t really care about matching valid certificates. I don’t think any have really bothered to check until about 3 years ago. It’s certainly a pain they are now starting to care - especially since they don’t necessarily have support for quickly switching certs. (Exim was extendable with scripting, not sure about Postfix)

IMHO, i think the easiest thing to do would be running all mail on a single server. e.g. every domain in your system lists mail.example.com as their MX record for SMTP/IMAP/POP. Then you just worry about having a single domain/certificate for mail services.

The caveat with this is that:

  • clients need to be updated to the single domain
  • the credentials would need to use the full email address if they don’t already (e.g. localpart@domain.tld )

It would be much easier to maintain in the long run though.

1 Like

I think you don’t really need to have the blabla.kimsufi name in your certificate, actually.

You need to check if dovecot/postfix can use multiple certificates (and in this case you can use one certificate for each name) or you need to use one certificate with all the names you need in them.

It looks like you can’t have one certificate per name in postfix: https://serverfault.com/questions/928926/postfix-multi-domains-and-multi-certs-on-one-ip (you can have five certificates but the intended use is for different cert algorithms)

But you can have one certificate per name in Dovecot: https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support

Do you mean I define mail.webologix.com as mx for all domains in my DNS server and then all domains should use that domain as mail server for imap, smtp and pop ?

I tried that. I get:

Cert Hostname DOES NOT VERIFY (mail.mon-voyage-a-cuba.com != mail.webologix.com DNS:ks307144.kimsufi.com DNS:mail.webologix.com)
So email is encrypted but the host is not verified

If the mx record points to “mail.webologix.com”, SMTP servers should not connect to mail.mon-voyage-a-cuba.com.

If the pop/imap clients are configured to use “mail.weblogix.com”, no one should ever be using " “mail.mon-voyage-a-cuba.com” or any of the other domains. everything should be going though the mail.webologix.com domain

I forgot to modify the CDN. Every thing OK now.

Thakns a lot everybody for your helps