I’m a real newbie, you can explain like I’m 5 I won’t mind.
With my example1 etc domains, which are all set up, what exactly do I do please? And thanks again.
mail domain will be mail.example1.com, mail.example2.com, mail.example3.com for both in and out mail.
Update
When I look at the Current SSL Certificate panel for the domain, it is using the right one, i.e. the cert and key have the paths /home/example1.com/ssl.cert and ssl.key. The date shows expires on Aug 1 so its definitely the one Letsencrypt just created. But my email client still says its being served the once for example2.com.
Joe beat me to the punch, but like he says, it would help to know which OS you’re using, specifically the Postfix version. Vers 3.3 or below don’t have SNI support which is a way to get around certificate conflicts when multiple mail hosts use the same IP. i.e., If each domain had its own IP your messages would probably send without SSL errors. If IMAP is working without SSL errors it’s likely because Dovecot does support SNI.
Without SNI-enabled SMTP you can configure clients to use the same SMTP server, one that isn’t causing a conflict. Often this can be the server hostname which is how I did it before upgrading to Postfix 3.5.
When you copy certificates on Virtualmin’s SSL page Postfix and Dovecot configurations are updated so that they point to the respective certificate files. Problem is, without SNI Postfix uses the same certificate for every host and that’s where clients clash with certificates, especially mobile clients. I know one Android client that offers a choice of loose or strict SSL but K-9 is apparently strict only.
I thought the certificate copy process was automated in recent Virtualmin releases but better to hear what Virtualmin staff say about that. All I know is that I haven’t needed to use those buttons in a while.
Speaking of which, would it be possible to have an option to select which hostname the “Used by services:” picks?
For now, I see all my virtual servers chose only domain.tld, while f.ex. with Dovecot and Postfix I would have rather have mail.domain.tld.
This explains why Thunderbird complained last time I set it up, just didn’t bother checking further until this thread today
EDIT: just saw in the sni_map that also *.domain.tld are there, meaning mail.domain.tld should work fine. Nevermind me then, will see why Thunderbird failed last time.
Its postfix 3.3.0 and the problem is also on the latest Thunderbird for windows 78.10.0.
Fetching mail is OK. The settings for that are SSL/TLS with a normal password on port 993
Sending throws up the cert of the last domains I foolishly clicked the copy to dovecot/postfix button with, as explained. The settings there in tbird are STARTTLS normal password port 587.
That’s what “Copy to” does! Go to the domain you want to use, and click “Copy to” for the services you want to use that cert for. That’s it. Click it for the domain you want to use for those services, and then stop clicking. (You have it showing up in “Used by” because you clicked “Copy to” for that domain at some point in the past. You told it to do that.)
Again, I know the UI is dumb here. It will be better soon. But, it really is this simple: Click “Copy to Postfix/Dovecot” in the one (1) domain you want to use as the server name for mail services (if your Dovecot/Postfix don’t support SNI it can only be one, this is not a Virtualmin limitation and there is nothing we can do to make SNI work on old systems). And, then stop clicking! Use that one (1) name for all mail services in all mail clients, no matter what domain the user lives in.
I know what Copy to does, I was one of the chasers when you mentioned the feature at first and I’ve been using it successfully ever since, it’s just the UI only shows domain.tld, but in my edited post I also checked in sni_map seeing the wildcard for each domain there
Thanks!
Ah its seems SNI only came into Postfix from version 3.4.0 onwards - right?
I really don’t want one cert for all the domains, but can see why that’s the only way otherwise.
I’ll look at upgrading and see if it all magically starts working, thanks all.
So last heopefully newbiw question, how do I get 3.4.0 when faced with this:
bill@prime:~# apt upgrade postfix
Reading package lists... Done
Building dependency tree
Reading state information... Done
postfix is already the newest version (3.3.0-1ubuntu0.3).
Calculating upgrade... Done
0 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
You won’t.
Since Ubuntu, like Debian and CentOS are not rolling release, they won’t upgrade to a new major version of any software. You will need to upgrade Ubuntu, and since Ubuntu 20.04 have been out for a year it’s safe to assume most bugs are ironed out.
I was hoping you had CentOS 8 because there’s an excellent tutorial in these forums for upgrading Postfix from 3.3 to 3.5 from a third-party repository. Can’t say for Ubuntu, not anything endorsed by Virtualmin anyway.
Until you sort it out with some kind of upgrade, try as Joe suggested and copy one certificate and use that same SMTP server for all mail accounts. Another option is to issue a certificate for the server hostname and use that.
Please update with the results.
Even if it should be rather smooth, it’s always nice to have it confirmed so that others in the same situation won’t be afraid to try it
Guys, i hate to hagve to come back like this but it’s taken 3 days to do the update, I’m now on Ubuntu 20.04.02, postfix bill@prime:/etc/dovecot/conf.d# apt upgrade postfix
Reading package lists… Done
Building dependency tree
Reading state information… Done
postfix is already the newest version (3.4.13-0ubuntu1).
But I have literally nothing to add to my first post, it’s still not allowing sendign mail because the last cert I did the “copy to…” 3 days ago is the one which is shown in the error message for every domain apart from that one. I guess i didn’t understand the fix, or did something wrong.Any more tips please?
Whilst i’m here, whats the preferred method for send, adn recive? Ican shoose SSL or STARTTLS for either. So far it’s been SLL to recieve, STARTTLS to send. Always wondered whats best for those.
Thanks. it is exactly like yours except there is no entry for “Postfix IP certificate enabled”.
I just see the first 3 entries, Webmin, Usermin and Dovecot.
On the Dashboard, do you have a notification saying that a change in the OS was detected or something like that? You might need to go to System Settings → Re-check Configuration (but I’m not sure that will help as I never really remember what it’s for).
Anyway, it won’t hurt to do it and @Joe will probably tell me off again for mentioning it if I’m wrong
I rebooted the server again just to be sure, but it it reporting Ubuntu 20.4 on the dashboard with no message as you suspect.
However under Webmin | Servers | Postfix it is still reporting 3.3.0, whereas the command line reports 3.4.0
When I did the receck config on one of the problem domains this message was in the list, everythign else reported ready:
Postfix can support per-domain outgoing IP addresses, but is not currently configured to do so. This can be setup in the Postfix Mailserver module.
Strange.
It’s been a while since I performed a dist-upgrade on a production server, but can’t remember running into these issues, everything was fixed magically-ish.
I only found a file in /etc/webmin/postfix/ called version, which contains the Postfix version number, but I wouldn’t change that manually, at least until a dev has chimed in with any ideas… Sorry.
This post from Ilia seems to indicate that if you’re running a current version of Webmin (which is mandatory for this to work at all, anyway), you shouldn’t need to update the version file.
So, are you running current Webmin and Virtualmin versions?
It’s all fixed! I deleted /etc/webmin/postfix/version following a tip and after a restart the missing option appeared. Its great to see all the email for the domains working again. The correct version of postfix now appears in the dashboard. Thanks everyone.
LMAO
