I currently have an SSl cert setup for Webmin. Which works fine if you go to the FQDN of the server, on port 10000.
However, Webmin lets me access from any of my hosted domains on port 10000. So I then get a certificate error as it is the wrong domain for the cert.
Is there anyway to redirect all requests on port 10000 to a single domain?
Also, what do you do about SSl certs and dovecot/postfix etc. Surely they will have the same problem, as they listen on each unique domain, instead of being setup to listen only from the FQDN of the server.
Users shouldnt have to have a wildcard SSL for every domain, surely we can have all mail routed through the FQDN of the server? And all webmin/usermin logins the same?
Unless I'm missing something here.
Any help greatly appreciated.
EDIT:
And cant you only have one SSL for dovecot, one for postfix, one for usermin and one for webmin anyway. So surely all the services should go through a single hostname.
From what I can see, every domain, can access email by going to: mail.domain.tld. Which will cause SSL cert errors. :S
However, Webmin lets me access from any of my hosted domains on port 10000. So I then get a certificate error as it is the wrong domain for the cert.
Yeah, most services that run SSL will allow you to access them using another hostname other than what it's setup for in the SSL cert. The key is to not do that :-)
What I'd recommend is to have your clients access Virtualmin using this URL:
http://admin.domain.tld
And that will redirect to your server's FQDN on port 10000.
Same with webmail:
http://webmail.domain.tld
That will redirect to your server's FQDN on port 20000.
We'd suggest making sure this is all documented in the email that your users receive when they get an account. It typically is, but you can review what specifically it says in System Settings -> Server Templates -> Default -> Mail for Domain.
-Eric
Ok thanks.
The only other question.
What about providing POP/IMAP/SMTP access? At the moment the defaults seem to tell users to point to mail.domain.tld.
But that again will cause cert errors if it is an SSL connection. Or can any account check email through the server's FQDN?
So I could tell new users to point email clients at the servers FQDN.
Howdy,
So I could tell new users to point email clients at the servers FQDN.
Yup!
Any account can access POP/IMAP/SMTP using the server's FQDN.
So as you said, what you may want to do is change the email template to have them use that FQDN, rather than using "mail.domain.tld".
-Eric
Thanks,
I tried what you said about admin.domain.tld and it just redirects to domain.tld:10000, and not the servers FQDN :(
Hrm, the default may not be what I thought.
You may have to go into System Settings -> Server Templates -> Default -> Apache website, and setup the redirects there to point to your desired URL.
That only changes new domains, not existing ones.
To apply that change to existing domains, you'd first need to remove the redirect feature by running this command as root:
virtualmin modify-web --all-domains --no-webmailAnd then re-enable it:
virtualmin modify-web --all-domains --webmailAh perfect, yes, I've just found it in that section under "URL for webmail redirect" and "URL for admin redirect", so I can change that to the FQDN.
One quick thing, slightly unrelated. I know its possible to only allow access to certain users, based on IP (or in my case dyndns). But can you do this on a per login basis?
Obviously I need webmin and usermin to be publically accessible for people to use. But I don't want root login available to anyone.
For example, with my VPS provider, I have it set to block access to logging into my account from any IP which is not whitelisted, and send me an email, so if it is me, I can whitelist it.
Does Virtualmin/Webmin support anything like this? Or maybe dyndns per account? Or even a whitelist, I could ssh in to. As I have CSF firewall set to allow access on certain ports to only my IP.
But obviously root login, and admin login for users, is on the same 10000 port.
I know its possible to only allow access to certain users, based on IP (or in my case dyndns). But can you do this on a per login basis?
I believe what you're looking for is in Webmin -> Webmin -> Webmin Users -> root -> Security and limits options. There, you can set "IP access control" to only allow root logins from certain IP addresses.
Be careful, as that makes it really easy to accidentally block root logins :-)
-Eric
Just what I was looking for thank you.
Where does webmin store that setting if I need to go in the back door and unlock myself?
Also, how do you go about customizing the DNS entry of "mail.domain.tld" which is set as an A and MX record?
I have looked everywhere I can think of.
Thanks
Howdy,
Where does webmin store that setting if I need to go in the back door and unlock myself?
I'm not sure which file it's stored in -- but it would be within /etc/webmin. So if you run into problems, just search the files and directories under /etc/webmin for the IP address you had added. You could then remove that IP, and restart Webmin, to remove that restriction.
Also, how do you go about customizing the DNS entry of "mail.domain.tld" which is set as an A and MX record?
You can add/modify/delete DNS for a Virtual Server in Server Configuration -> DNS Records.
If you have additional questions, you may want to start a new forum thread, that'll help keep me from getting too confused :-)
Have a good one!
-Eric