Hi all, I'm having a bit of problem settings up SMTP for mail. My cert (LetsEncrypt) is issued for main.tld
and mail.main.tld
. Now this works fine for main.tld mail but my other domains, e.g other.tld
is unencrypted! I attempted to issue a cert for other.tld
& mail.other.tld
and copy it over to postfix, devecot and it overwritten the original making it only encrypted for other.tld mail, so I reverted back to main.tld cert and copied that over to fix the issue. This error occurs upon adding a mail account on Thunderbird, here a picture:
Note I made one small change in the Autoconfig file and that setting socket to SSL, as it was unencrypted by default even after installing the certificate. Autoconfig -> Thunderbird set the <socketType>
to $SMTP_SSL
.
Do I have to change the MX manually for each domain to mail.main.tld ? Will the autoconfig (Thunderbird, Outlook) pick that up automatically?
What the best approach for this? I want all my mail to by encrypted for all domain and the autoconfig to reflect that.
Thanks
hi, you know for the fact you can use https of mail.maindomain.com for any other domain? also
https
does not give you any encryption of email.. its just transfer. For pure encryption you should use gpg.Configuring/troubleshooting Debian servers is always great fun
Sorry, I was referring to transfer encryption (SMTPS). Yes am aware now, I was able to change the default mail server
System Settings => Server Templates => Bind DNS => Hostname for MX record
and set that tomail.maindomain.com
, however I still needed to change the Mail AutoConfig files (outlook & thunderbird) from $stmp/imap_hostimap.maindomain.com
&smtp.maindomain.com
, otherwise the mail.domain.tld is used.mail.domain.com on both for imap and smtp or IN and OUT should works and there should not be imap.domain.com nor smtp.domain.com
Configuring/troubleshooting Debian servers is always great fun
As far as I know that's not possible out of the box in Virtualmin. I'm only using a single domain and have a seperate cert for that.
Dovecot supports SNI but Postfix does not. But SNI only helps you if you connect the client directly over the SSL ports 995,993,465.
What can you do? Use something like acme.sh und build an Cert with a subjAltName from all your domains. You have to somehow hook this into domain creation / deletion and you basically have a limit of 100 aliases - if you have mail.domain, pop3.domain, smtp.domain and so on, your down to far less.
I'd say go for mail.. and use that for all domains. If you need per domain certificates use a single one with subjAltname and go for mail.. to have up to 100 domains.
Well I got it working with SNI. I setup my master domain (
main.tld
) with normal Let's Encrypt and then inServer Configuration -> Website Options
Set the Website Matches all subdomain to yes. This allowed my to now addmail.main.tld
andimap.main.tld
,smtp.main.tld
as SNI's and then copy over to postfix, devcot.I connect true
SSL
for imap andstarttls
for smtp and it seems like its working? Now for other domains mx is5 mail.main.tld
, and when getting/sending mail, the autoconfig has imap.main.tld, smtp.mail.tld, on other domain and allows smtps email. This is how order mail server I have used before work, even google mail.Yes it works, but is there any way to make sure its correct? and correct for VirtualMin configuration too?