Hi there, I’m new here but I started using let’s encrypt for my websites since the beginning (2014 or so). Now I need to set up a big server for web hosting and mail server.
I’m a little confused as to what domain names (subdomains) I need to use for each case, I mean I’m using postfix to send mail (configured to use opendkim) and dovecot to access mail so I’m not sure how many certificates do I need, one for the FQDN maybe and another for each virtual domain?
So my set up is:
I have many domains and I choose one to be the one that represents the server, and I use mail.maindomain.com to be the FQDN, is that correct? Should I use another one? What is the standard here?
What subdomains do I need to make this work? mail, imap, smtp (won’t use pop3). So those 3 subdomains need a certificate so that mail clients won’t complain about a self-signed certificate? One for each domain or a single certificate?
So how does this work exactly? What certificate (with how many domains / subdomains) does postfix need? The same for opendkim? For dovecot I read I can use one certificate per domain, is this necessary or the certificate that postfix uses will suffice for dovecot?
This is a pretty complicated topic, and it depends a lot on which versions of Postfix and Dovecot you’re using, and how much effort you’re prepared to go to. You’re making a lot of work for yourself by using a separate mail subdomain for every domain. By FAR your easiest option is going to be to choose one master record such as mail.example.com, and configure all your domains to use that. For the MX record it doesn’t matter too much, SMTP encryption is always opportunistic so you won’t notice any problems if the certificate name doesn’t match the DNS name. What is important is that you configure Dovecot and your Postfix submission port to use a certificate that matches the DNS name you advertise to your users.
OpenDKIM isn’t relevant here, it’s not related to TLS certificates.
Right, I forgot opendkim encrypts the mail not the connection.
I'm using Arch Linux so everything should be the latest version. I don't mind putting a lot of effort as long as I learn so next times things are easier. I use a separate subdomain because each domain is a separate company and that way looks like they're not connected. With that said I might go the easy way (the one you just suggested), but I'd like to know what would take to do it with separate mail subdomains.
If you’ve only got one IP address, then you’re going to have to stick to using one domain only. Setting up multiple TLS certificates on one IP address requires SNI, which is well supported in web browsers these days but much less so in mail clients.
To answer your earlier question, the same Let’s Encrypt key/cert files can be used in your webserver, Postfix and Dovecot.
We just use one of our domains to provide secure access to mail, and get all of our clients to use that. None of them care that other clients access things on the same domain - obviously all the accounts are completely separate - and outside people would only realise that multiple clients are using our services if they checked the MX records and mail headers. As you can imagine, that pretty much never happens, and I can’t see it being an issue even then. For example, many different organisations have their MX records set up to use Office 365 or G Suite and nobody thinks anything of it.
Sorry, for some reason I didn’t see your reply before. If you only have one IP address, you can only reliably use one host/domain name for IMAP. Many emails clients will not work if you have multiple different certificates served from the same IP address.
It’s not necessary to add subdomains for mail. Many people do, e.g. mail.example.com, imap.example.com, smtp.example.com, but that’s just a convention. You should set an MX record but it can belong to a different domain, e.g. the MX record for example.com could be mail.example.net. In order for clients to be able to send email securely without getting a warning message, both Postfix and Dovecot (if those are what you’re using) should only have one domain pointing to their IP address, and both should use a certificate corresponding to that domain. So you could host example.com, example.net and example.org all on the same server, but all of them should use the same address (e.g. mail.example.com) for client access.
If and when you change the sites to use separate IP addresses, you can change the settings. If they’re all still on the same server it may be easier to leave them as they are.
The webroot path can be the same for multiple domains, assuming that you’ve used an Apache ServerAlias or equivalent so that the .well-known authentication folder is accessible on all of them.