Joe has posted that VM allows certs for each domain with a dedicated IP. I’m having some trouble finding where exactly to add those certs. Probably it is right in front of me, nut I’ve spent an hour looking for it and searching the forums with no luck.
I’d like to be able to add a new cert for domain foo.com so that postfix, and dovecot, and proftpd, etc all use the cert for foo.com. I’ve figured out how to do this for the shared IP by editing each server.
You can set most of those by logging into Virtualmin, clicking Webmin, then going into the Servers section.
There’s a fairly good writeup about setting a lot of those up here:
And of course, just yell if you have any trouble
I may have misunderstood Joe’s posts on this subject. When he says “Webmin can serve other certs on other IPs…” does he mean literally only webmin can serve different certs, and the mail,pop,ftp etc server is stuck with only 1 cert no matter how many IPs the machine has?
I understand how to set up 1 cert (and chain) to make a basic install work. But if one of my users want to actually use their virtual server name to access dovecot via POP3s they have to use the generic server name for their email server else they get a nasty cert error.
host.xyz.net : IP 220.127.116.11
host name of server that hosts many virtual servers
foo.com : IP 18.104.22.168
virtual server hosted on host.xyz.net
hosts.xyz.net has a cert keyed to its FQDM. If a user wants to access https://www.foo.net then they are offered the cert that belongs to host.xyz.net, and get the resulting errors and crying that various bowsers make when the cert name does not match the web site. Most users cannot handle this.
I would like to be able to add a second cert to the system so that a user connecting to pop3s.foo.net, or https://www.foo.net, or smtps.foo.net is offered a cert whose name matches foo.net.
It looks like under the current system, there is no way to host multiple virtual domains in a "secure" mode unless they all have the same cert. Or they use hosts.xyz.net to access mail for foo.net.
Again, I can set it up manually for 1 cert that covers all virtual domains sharing the same IP. Can I support mutiple virtual domains with different IPS and their own certs for their various servers?
Yeah, I’m not sure that’s going to work real well for you. It sounds like, perhaps by design, that the only way to accomplish that would be to run multiple instances of the daemons in question.
That came up recently on the Dovecot mailing list:
There’s also some info regarding this on the Postfix list:
It sounds like it’s non-ideal at best
I may have misunderstood Joe's posts on this subject. When he says "Webmin can serve other certs on other IPs..." does he mean literally only webmin can serve different certs, and the mail,pop,ftp etc server is stuck with only 1 cert no matter how many IPs the machine has?
Yes, I literally meant only Webmin. Apache, of course, also will happily serve additional certificates.
Postfix, Dovecot, and ProFTPd won’t do it without going to extreme lengths (like running a process per IP with independent configuration files).
I’d recommend you use a single hostname for those protocols.
You could use stunnel.
This will also allows you to provide SSL on services that don’t have SSL support. (telnet to switch or ups, samba, windows events -> syslog, etc.)
Thanks for the responses.
So it looks like we cannot host email for virtual domains securely (POP3S, SMTPS) unless we force the customer to use our host name for their mailserver.
As an ISP, I can live with that. Just make all of my clients use the same FQDM for a mailserver regardless of what domain I host their account on. But for the handfull of virtual domains I host for others, this puts me at a slight disadvantage. If I host the email for a small ISP down the road, then their customers would have to put my FQDM in as their mailserver to keep it secure. The small ISP would not like that, and would probably host through godaddy instead.
I used to use stunnel to turn pop3 into pop3s. Don’t remember it being happy with multiple certs either. Running a separate instance of each server for each IP is a little to involved. I suppose a virtual server environment with a a different virtual machine running for each virtual domain would work. But I’d need much bigger servers to pull that off.
Joe, you got any plans to work out a solution to host multiple secure email domains or is the virtual server the way to go?
Well, I’m just thinking out loud here for a moment, I haven’t tested any of this, but perhaps it’ll give you some ideas to tinker with
What if you were to run an stunnel instance for each additional cert you want to have – one stunnel instance per IP address of course.
And then forward stunnel to the plaintext POP or IMAP and whatnot.
I don’t recall stunnel being particularly resource hungry, and it definitely beats running multiple instances of Dovecot.
Would that do the trick?
As I previously stated you can use stunnel, actually this can be done many ways; Stunnel, multidomain certs, apache or other web server’s mod_rewrite, load balancing redirector, wildcard domain certs and I’m sure a few other ways.
Apache has supported multiple HTTPS domains under a single IP for quite awhile.
The restriction is only one cert per ip, it has nothing to do with the number of domains. You therefore must create a multi-domain cert. A single cert can hold many domains, I’ve never hit the limit or had an issue with multi domain certs.
Here’s a few links to examples and howto’s.
An example for ISPconfig:
An example for multi domain certs:
An example for mod_rewrite:
An few examples for wildcard certs:
If you use stunnel you don’t have to use multiple instances for multiple domains. Again, there are more than a few ways to achieve multiple domains on a single IP.
Thanks for the ideas. I may play with stunnel again if I have time to roll my own solution. I was hoping someone could put together a control panel like utility that handles virtual domains and security that I could just pay for. <grin>
The wildcard and multiple names certs just won’t work for us. If Bob’s ISP asked me to secure their site, I’d have to re-purchase a $300+ cert to add their name. Little expensive for a $10/ month domain hosting. It would be cheaper just to buy a small PC and host their domain on a dedicated piece of hardware, plus there’s the minor vanity issue of it not really being their cert. Bob’s ISP may not want their cert to be shared with Sally’s adult entertainment emporium.
I’d just like to have a cert for Bob’s ISP on a unique IP address hosted on my server along with other certs for other domains on other IP addresses on the same server.
I’ll wait, or experiment with stunnel, or try a virtual machine solution… thanks…