Say I have 3 virtual domains, example1.com, example2.com and example3.com. All have “mail.” prefix entries set up correctly in DNS and all point to the same IP.
I am finding that with my email client, K-9 (Android), the sending test fails but I suspect it’s because of what I am doing when I set them up. The error message is always that the wrong cert is returned.
Steps: example1.com - Servers | Server configuration | SSL Certificate | Let’s Encrypt | Generate (OK)
Service Certificates tab | Copy to Dovecot (Why?)
Service Certificates tab | Copy to Postfix (Why?)
So, all domains seem to use the last one set up when copy to Dovecot/Postfix is used. I am doing this because I thought it was per domain, but it’s behaving as if it supercedes the local settings and clobbers it system wide.
If my understanding is wrong, can someone explain exactly what this is for and how I can undo it so it works please? Thanks.
“Copy to” is for the default or only certificate for the service in question, depending on whether it supports SNI or not. You haven’t told us your OS and version, so I can’t know whether you have versions of Dovecot and Postfix that support SNI.
But, you only click “Copy to” one time. It doesn’t make sense to click it for every domain.
What’s to undo? Just copy the cert for the domain you want to be the default, and then leave it alone.
I think 18.04 has Dovecot with SNI, but I don’t think Postfix has SNI. So, you’ll need to choose one domain to be your mail domain, and use it exclusively for client mail connections. Since it’s a mixed situation, I’d recommend you not bother using the SNI features in Dovecot, since it would be more confusing to your users to have incoming use one server name and outgoing use a different one. So, do it the old way…just pick a “main” domain to use for mail.
I’m a real newbie, you can explain like I’m 5 I won’t mind.
With my example1 etc domains, which are all set up, what exactly do I do please? And thanks again.
mail domain will be mail.example1.com, mail.example2.com, mail.example3.com for both in and out mail.
Update
When I look at the Current SSL Certificate panel for the domain, it is using the right one, i.e. the cert and key have the paths /home/example1.com/ssl.cert and ssl.key. The date shows expires on Aug 1 so its definitely the one Letsencrypt just created. But my email client still says its being served the once for example2.com.
Joe beat me to the punch, but like he says, it would help to know which OS you’re using, specifically the Postfix version. Vers 3.3 or below don’t have SNI support which is a way to get around certificate conflicts when multiple mail hosts use the same IP. i.e., If each domain had its own IP your messages would probably send without SSL errors. If IMAP is working without SSL errors it’s likely because Dovecot does support SNI.
Without SNI-enabled SMTP you can configure clients to use the same SMTP server, one that isn’t causing a conflict. Often this can be the server hostname which is how I did it before upgrading to Postfix 3.5.
When you copy certificates on Virtualmin’s SSL page Postfix and Dovecot configurations are updated so that they point to the respective certificate files. Problem is, without SNI Postfix uses the same certificate for every host and that’s where clients clash with certificates, especially mobile clients. I know one Android client that offers a choice of loose or strict SSL but K-9 is apparently strict only.
I thought the certificate copy process was automated in recent Virtualmin releases but better to hear what Virtualmin staff say about that. All I know is that I haven’t needed to use those buttons in a while.
Speaking of which, would it be possible to have an option to select which hostname the “Used by services:” picks?
For now, I see all my virtual servers chose only domain.tld, while f.ex. with Dovecot and Postfix I would have rather have mail.domain.tld.
This explains why Thunderbird complained last time I set it up, just didn’t bother checking further until this thread today
EDIT: just saw in the sni_map that also *.domain.tld are there, meaning mail.domain.tld should work fine. Nevermind me then, will see why Thunderbird failed last time.
Its postfix 3.3.0 and the problem is also on the latest Thunderbird for windows 78.10.0.
Fetching mail is OK. The settings for that are SSL/TLS with a normal password on port 993
Sending throws up the cert of the last domains I foolishly clicked the copy to dovecot/postfix button with, as explained. The settings there in tbird are STARTTLS normal password port 587.
That’s what “Copy to” does! Go to the domain you want to use, and click “Copy to” for the services you want to use that cert for. That’s it. Click it for the domain you want to use for those services, and then stop clicking. (You have it showing up in “Used by” because you clicked “Copy to” for that domain at some point in the past. You told it to do that.)
Again, I know the UI is dumb here. It will be better soon. But, it really is this simple: Click “Copy to Postfix/Dovecot” in the one (1) domain you want to use as the server name for mail services (if your Dovecot/Postfix don’t support SNI it can only be one, this is not a Virtualmin limitation and there is nothing we can do to make SNI work on old systems). And, then stop clicking! Use that one (1) name for all mail services in all mail clients, no matter what domain the user lives in.
I know what Copy to does, I was one of the chasers when you mentioned the feature at first and I’ve been using it successfully ever since, it’s just the UI only shows domain.tld, but in my edited post I also checked in sni_map seeing the wildcard for each domain there
Thanks!
Ah its seems SNI only came into Postfix from version 3.4.0 onwards - right?
I really don’t want one cert for all the domains, but can see why that’s the only way otherwise.
I’ll look at upgrading and see if it all magically starts working, thanks all.
So last heopefully newbiw question, how do I get 3.4.0 when faced with this:
bill@prime:~# apt upgrade postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
postfix is already the newest version (3.3.0-1ubuntu0.3).
Calculating upgrade... Done
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
You won’t.
Since Ubuntu, like Debian and CentOS are not rolling release, they won’t upgrade to a new major version of any software. You will need to upgrade Ubuntu, and since Ubuntu 20.04 have been out for a year it’s safe to assume most bugs are ironed out.
I was hoping you had CentOS 8 because there’s an excellent tutorial in these forums for upgrading Postfix from 3.3 to 3.5 from a third-party repository. Can’t say for Ubuntu, not anything endorsed by Virtualmin anyway.
Until you sort it out with some kind of upgrade, try as Joe suggested and copy one certificate and use that same SMTP server for all mail accounts. Another option is to issue a certificate for the server hostname and use that.
Please update with the results.
Even if it should be rather smooth, it’s always nice to have it confirmed so that others in the same situation won’t be afraid to try it
Guys, i hate to hagve to come back like this but it’s taken 3 days to do the update, I’m now on Ubuntu 20.04.02, postfix bill@prime:/etc/dovecot/conf.d# apt upgrade postfix
Reading package lists… Done
Building dependency tree
Reading state information… Done
postfix is already the newest version (3.4.13-0ubuntu1).
But I have literally nothing to add to my first post, it’s still not allowing sendign mail because the last cert I did the “copy to…” 3 days ago is the one which is shown in the error message for every domain apart from that one. I guess i didn’t understand the fix, or did something wrong.Any more tips please?
Whilst i’m here, whats the preferred method for send, adn recive? Ican shoose SSL or STARTTLS for either. So far it’s been SLL to recieve, STARTTLS to send. Always wondered whats best for those.
Thanks. it is exactly like yours except there is no entry for “Postfix IP certificate enabled”.
I just see the first 3 entries, Webmin, Usermin and Dovecot.
On the Dashboard, do you have a notification saying that a change in the OS was detected or something like that? You might need to go to System Settings → Re-check Configuration (but I’m not sure that will help as I never really remember what it’s for).
Anyway, it won’t hurt to do it and @Joe will probably tell me off again for mentioning it if I’m wrong
I rebooted the server again just to be sure, but it it reporting Ubuntu 20.4 on the dashboard with no message as you suspect.
However under Webmin | Servers | Postfix it is still reporting 3.3.0, whereas the command line reports 3.4.0
When I did the receck config on one of the problem domains this message was in the list, everythign else reported ready:
Postfix can support per-domain outgoing IP addresses, but is not currently configured to do so. This can be setup in the Postfix Mailserver module.
LMAO
