SSL Certificates

Is it correct to say that it is possible with Virtualmin to give every Virtual Server a unique SSL Certificate but that there can only be one SSL Certificate for Postfix and Dovecot and that this certificate in Postfix and Dovecot is used by every user from every domain? And that this means that every Virtual Server can have its own unique certificate for its SSL Website but that the certificate which is last copied to Postfix and Dovecot is the certificate that is going to be used by every user from every domain?

Untill now I only used selfsigned certificates. But my customers are complaining that in Outlook they always get the annoying messages that it is a selfsigned not trusted certificate. Is it a good / best practise to buy one trusted certificate with a 'neutral = not one of my customers' name for postfix and dovecot and use that for every virtual server?

Can someone give me some ideas for the best approach?

Thanks

Status: 
Active

Comments

For Apache, we normally recommend one SSL certificate per IP address, though it's possible to add more... but some older browsers don't support that.

For Postfix/Dovecot -- you can indeed only use one SSL certificate.

My suggestion is to get a SSL certificate from a commercial provider that everyone can use, perhaps based on your company name or your system's hostname, and to copy that into Postfix and Dovecot, and then have your users access your server using that name.

Doing that will prevent your users from receiving a warning when connecting to your system using Outlook.

Thanks for the clear answer!

Hi Andrey, despite your clear answer, I think I am going to face another problem. Now, I always tell my customers that their server for imap and smtp = mycustomersdomain.tld and that their username = name.mycustomersdomain.tld.

So I think it is of no use to order a SSL certificate from a commercial provider (eg. RapidSSL) since the certificate will belong to the server rmyhostingdomain.tld

Or can I tell my customers that their server for imap and smtp = rmyhostingdomain.tld and that their username = name.mycustomersdomain.tld? And if this would work - which I doubt - what about the spamming score for the mails sent by my customers (name.mycustomersdomain.tld.)?

It is a pitty my customers won't use Thunderbird where the untrusted certificate messages aren't an issue. Most of my customers want to use Outlook and I can't get it done to install the selfsigned certificate so that Outlook won't complain anymore.

Which way do I have to go:solve the problem serverside with 1 commercial SSL certificate for rmyhostingdomain.tld or try to install a selfsigned certificate for mycustomersdomain.tld on the computers of my customer?

Pfff, though issue, the email stuff. Thanks in advance for helping me getting the general picture.

Alain

The typical way to handle that is to have your customers connect to an address such as this one for both IMAP and SMTP:

rmyhostingdomain.tld

And then, obtain a commercial SSL cert for the domain "rmyhostingdomain.tld", and install that into Postfix and Dovecot.

It doesn't matter what the username being used is -- and that won't affect the spam score.

In addition to what Eric said, here's how I handle this.

Since I like having customers be able to use a kind of individual hostname for their email purposes (so I can move their email accounts to other servers if necessary and just adjust the IP), I have a wildcard certificate for "*.sslmail.HOSTER.de". Each customer gets a hostname in that domain, like "CUSTOMER.sslmail.HOSTER.de".

It's a bit more complicated to type, but the only reasonable solution I found for having ONE certificate, not needing to regenerate that each time a domain is added (which you'd need to do with multi-domain certs), but still allowing each customer to have their individual hostname for email connections.

Thanks for your help! All of you.

It is too theoratical at the moment, so I am going to order a certificate and just dive in. It won't kill me and than I can learn it the trial and error way.

I have installed a certificate for a subdomain genre srvrx.mydomain.tld and it works fine. I use that certificate only for email purposes (settings for imap en smtp servers = srvrx.mydomain.tld). It solved the issue that my customers received the cerificate error when using Outlook. So it works fine and saves me a lot of time explaining that this is an issue with Outlook and not with Thunderbird for example.

Except for 1 customer where Outlook keeps asking to use that certificate every time the user starts Outlook. It does not complain that it is a selfsigned - so it is recognized as a trusted certificate. I tried to install it manualy on the client's computer but with no success.

But it is an issue for 1 customer on his windows 8 pc and it works fine on his WinPhone. So my client knows that I have done my part of the job.

Dovecot and Postfix (standard setup Virtualmin)

I only allow imap to my customers - no pop3 (for the customer imap is better)

I am hosting about 25 domains

I bought a RapidSSL Certificate for about 20 euro, it is worth the money and easy to install.

You are welcome

Alain