As I understood after reading a bit, it’s not possible to offer secure email to every virtual host using their own SSL certificates.
That’s very very unfortunate.
Virtualmin should really support secure connections for email clients per domain with their own certificates.
Dovecot/conf seems to support it: (https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support)
local_name imap.example.org {
ssl_cert = </etc/ssl/certs/imap.example.org.crt
ssl_key = </etc/ssl/private/imap.example.org.key
}
local_name imap.example2.org {
ssl_cert = </etc/ssl/certs/imap.example2.org.crt
ssl_key = </etc/ssl/private/imap.example2.org.key
}
Also, exim mail server supports it: (https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni)
tls_privatekey = ${if exists{/etc/exim.key.${tls_sni}}{/etc/exim.key.${tls_sni}}{/etc/exim.key}}
tls_certificate = ${if exists{/etc/exim.cert.${tls_sni}}{/etc/exim.cert.${tls_sni}}{/etc/exim.cert}}
“That way it would take /etc/exim.key.domain.com and /etc/exim.cert.domain.com if they exist, and if they do not, /etc/exim.key & /etc/exim.cert would be used.”
Postfix on the other hand, which you guys seem to like, has no plans to support SNI at all, making the current setup cumbersome for no apparent reason. Postfix is not future proof, and in my opinion virtualmin should step away from it ASAP. SNI is widely supported by all major email clients including iOS, outlook, thunderbird, etc.
Please support EXIM + dovecot SNI to be future proof and make using Let’s encrypt for multiple domains no problem whatsoever.
This also suggests that the buttons [Copy to Dovecot] etc. under SSL management are unnecessary since they support all domains anyway.
I’m pretty sure it is at least technically possible to make this work on Virtualmin’s end, I’ve seen it work in other administration panels.
In case you didnt notice all hosting companies are using “neutral” domains for this very same reason. For example if you want to connect to your control panel (usually cPanel) you will go to 111.example.com:port_number, on second server it will be 222.example.com:port_number, and so on… This domains usually have simple landing page made in html or Apache default page or redirect to the hosting company primary domain. In case you dont have your own SSL then it will used one from the server, e.g. SSL from xxx.example.com.
If you have more than one client per server its always good practice to set default domain something neutral instead of your own domain and your clients can use SSL from that domain. Plus never host your main domain on the same server with your clients. If something happens and the server hosting your clients go down your website and probably email will be down too. Bad for business.
Postfix can support multiple SSL certificates but you must have separate IP for each domain or it will not work. This doesnt have anything to do with laziness of Postfix devs nor this software is going to die anytime soon. The reason is they (devs) want to do things properly and right now there isnt any “HTTP/1.1 host header” what could tell Postfix which domain is requested so only way to split them is by separate IP. Another reason why Postfix is slow to adapt is because of security and performance standpoint. Something like Centos 7 using PHP 5.4.
If you make comparison between Postfix and Exim you will find that Postfix is more secure and faster than Exim. Not to mention during their existence Postfix never suffer major security problems like Exim. On other hand you can opt for less secure Exim and enjoy all the new things what comes out.
So there isnt a clear winner and only depends on your requirements and personal taste.
P.S. With the desperate shortage of IPv4 and hosting companies pushing for IPv6 i think pretty soon there will be no problem to give each domain separate IP at low or no expenses at all.
P.S. 2 When i said “less secure Exim” i didnt mean right now, instead the observation and opinion is based on the past experience.
Please, I want to offer secure connections to my users on their own domain, I’m not interested in what other companies do, nor do I want to wait for ipv6, it’s technically possible and hereby a feature request. Not everybody that uses virtualmin is just a simple shared hosting company.
I’m not sure why virtualmin keeps talking about other things instead of just implementing this and/or maybe ask postfix to finally support SNI.
Then the user can pick an option: super safe postfix with one cert or super open, totally full of leaks exim with solid SSL support.
Thank you!
maybe ask postfix to finally support SNI
Instead of asking Virtualmin why dont you do that by yourself?
About Exim vs Postfix, you can always remove Postfix and install Exim, then in module config change default MTA. Next, Virtualmin guys were clear more than once that they prefer Postfix over anything else even Virtualmin have support for other two MTA - Sendmail and Qmail. Virtualmin will work with Exim but if nothing changed in the last year or two i think its limited in options. If i remembr right there was some (potential) problems and conflicts between Exim and Virtualmin installation of the software (as whole package).
Not everybody that uses virtualmin is just a simple shared hosting company.
Then put each client on separate server (VPS or dedicated), otherwise if you have more than one client per server basically it is “simple shared hosting”.
I intend to put every client on their own VPS, but sometimes you have these exceptions where they have multiple domains and want to use the same infrastructure. It’s just more professional and easy to understand from a client perspective if they connect using the actual domain they want to get mail for.
“Instead of asking Virtualmin why dont you do that by yourself?”
Well I’m not going to dive into a software package I didn’t write myself, don’t get me wrong, I really like what Virtualmin and Webmin has to offer, it’s just… those tiny little things that are missing.
In addition, I really think it’s up to virtualmin to support dovecot with SNI, it seems to be as simple as writing the correct config into dovecot by Virtualmin when creating a virtual server. I don’t think I’m really asking that much here.
Supporting dovecot SNI would be a great start since using something more general as the SMTP server isn’t that confusing from a client perspective. I think it really comes down to the willingness of Virtualmin to implement this.
Thanks for your replies and explanations btw.