SMTP TLS certificate for multiple domains

borja · 2015-12-30 16:46:47 UTC

Hello,

I have a server with 8 virtual hosts. The 8 domains have their letsencrypt certificate and work very well :), also, i managed to use the same certificates in dovecot server for imap/pop ssl connections. No problems.

But, i want to use the certificate also for smtp ssl connection because mail clients are asking users to accept self-signed certificate always on the first message they send on every session.

I created a certificate for myserver.com url and assigned to postfix smtp server but mail clients keep asking to accept cert because cert is authorizing other name. I think has to be the same certificates of virtual hosts and not my server url, but postfix does not allow SNI, so, how can i do this?

Thanks.

autoit4you · 2015-12-30 17:17:37 UTC

Create one certificate which contains all DNS names Subject Alternative Names.
If you use the official client you can specify that with several -d domain.tld flags.

borja · 2015-12-30 17:31:21 UTC

I think this will not work because i have to put the domains and subdomains of every virtual host that has differents public folders. So, only one of this domains can be checked. Is this right?
Thanks.

Fsantiago1979 · 2015-12-30 17:57:30 UTC

What’s your mta? shouldn’t all of your virtual email domains only be using one domain name (the email server itself) anyway? Make a new cert that only covers your email server’s fqdn. Same should be true for your imap / pop.

borja · 2015-12-30 18:17:38 UTC

Im running postfix and dovecot. And yes, if i use my server’s fqdn of smtp address everything is fine. But this, forces my users to use this address for their domain email account. So, they have to use mail.domainexample.com for imap address and myserver.com for smtp address or myserver.com for both.
For Imap / pop is not the same because dovecot supports SNI, so i have one certificate per domain.

Thanks.

Fsantiago1979 · 2015-12-30 18:31:21 UTC

Ok got it. I also use postfix with dovecot but all of my virtual domains use the servers fqdn to connect to. So my cert only has the one host.

So you already have the web hosts setup and have their certs so validation is already working for everything. So why can’t you use a San cert for email? I’m missing something I think…?

borja · 2015-12-30 18:44:59 UTC

I think i cant because if i try to create a cert with -d myserver.com -d domainvirtualhost1 -d domainvirtualhost2 the folder .well-known will only be created in one location (and this domains point to same ip but different locations). So only one of this names can be checked. But, im not sure if its another way of do this.

Fsantiago1979 · 2015-12-30 20:56:14 UTC

Can you not define the well known location on all your virtual hosts and point them all to the same single webroot physical location?

Osiris · 2015-12-30 21:31:57 UTC

If you use the --webroot authenticator, you can issue multiple --webroot-path switches, for example, one per -d switch:

letsencrypt certony --webroot --webroot-path /var/www/vhosts/example.com -d example.com --webroot-path /var/www/vhosts/domainvirtualhost1 -d domainvirtualhost1 --webroot-path /var/www/vhosts/domainvirtualhost2 -d domainvirtualhost2

Would that help?

borja · 2015-12-31 09:51:03 UTC

Yes! I think with this i can create a certificate for all my domains to be used in postfix. Im gonna test this soon and post here the results. Thank you!

fauno · 2016-01-06 18:15:07 UTC

you can request a certificate for all your domains using letscrypt command -d domain1 -d domain2 ...

nicocolt · 2016-01-07 07:45:11 UTC

Hello,

Have you tried the @Osiris solution ? Does it works ?

Let us know,
Best regards,
Nico

borja · 2016-01-27 18:43:09 UTC

Sorry to everyone for the delay. I can’t try until now. Yes!, its working well. i’m testing right now but everything seems to be ok.

Thank you!

htyluf · 2017-02-26 01:21:54 UTC

This works, for sure, for a while.

I found that when the certs renewed (via cron job) that all the email clients freaked out. In the worst case, fixing the iOS clients required deleting the account from the iOS device and re-adding it back.

Clients like Thunderbird and Apple Mail were more forgiving, just requiring a pat on the head.

Anyone have a solution for this? @borja, did you run into this?

Osiris · 2017-02-26 01:45:18 UTC

Any more info about that? Errors? Logs?

Because if well configured, a renewal shouldn’t make any difference. Although I also know the GMail app for Android also has (or maybe had currently…) this problem… Sounds like a bug to me.

htyluf · 2017-02-26 18:28:46 UTC

Two errors from iOS.

Cannot Verify Server Identity
Cannot Send Mail: The connection to the outgoing server failed. Additional Outgoing Mail servers can be configured in [yadda].

Don’t have the mail or secure logs anymore, this was about a month ago. We’ll see if it comes around again next time the certs renew, around the end of March.