Joe,
Thanks for your responses and help. Once I figure this out, I’m going to upload a How To to this forum. Anyways, here’s my new comments:
1.) Can I use the “Manage SSL Certificate” to request each domain’s certificates?
Joe: What do you mean by “each domain”? Obviously, you can request certificates for every domain your server hosts, so I guess that’s not what you’re asking…but, I can’t quite figure out what you’re trying to accomplish.
Samrich: So I would love to have all of my customers be able to access their mail on secure ports using SSL. Idealy the incoming and outgoing servers for each customer would be mail.customerdomain.com where “customerdomain” their actual domain name. I originally thought “Manage SSL Certificate” would be able to do all of this using Let’s Encrypt but that hasn’t been the case. HTTP/HTTPS works great but I’m struggling with mail.
2.) Do the mail Aliases all need to be on one Certificate? If yes, which domain should they go under?
Joe: I’d recommend not directing your users to a bunch of different names. Pick a central one for mail, and use that for everyone, no matter what domain they’re in. It’ll reduce the complexity of your deployment remarkably.
AFAIK, SMTP and IMAPS/POPS have no mechanism for selecting a certificate based on hostname (e.g. they can’t have a bunch of certificates…just the one), so yes, any domain name you’ll be connecting to SMTP and IMAPS/POPS with will need to have the same certificate that covers all of the names you’ll be connecting with.
Samrich: So your first part above sounds good. So I would have everyone use something like:
Incoming Mail Server: mail3.mydomain.net
Outgoing Mail Server: mail3.mydomain.net
This would be used instead of: mail.customerdomain.com where “customerdomain” is what ever my customer’s actual domain name is? Would this cause black list problems as mail for a customer’s domain would now be coming from mydomain.net and the sending email account would not match the sending server domain?
So your second part, then how would I go about requesting the SSL certificate from Let’s Encrypt with all of the customer domains? Altering my steps in the original post, I would only get an SSL certificate for customerdomain.com and www.customerdomain.com for customer domains and then for the email server mydomain.net account I would add mail.customerdomain.com for each of my customers in the “Domain names listed here” field.
3.) At any point should I ever click either the “Copy to Dovecot” or “Copy to Postfix” buttons after getting the Let’s Encrypt certificate for a domain?
Joe: Yes. That’s how a certificate is installed for use by mail services. Until you click that, you’ll be using the default self-signed certificates (which should work, but will generate a warning when you connect and won’t have any domain names associated with them except the name of the host).
Samrich: So, I’ve noticed that in Webmin -> Servers -> Dovecot IMAP/POP3 Server -> Edit Config Files then on about line 104 I see the following list:
local_name mail3.mydomain.net {
ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name www.mail3.mydomain.net {
ssl_cert = </home/mydomnet/domains/mail3.mydomain.net/ssl.cert
ssl_key = </home/mydomnet/domains/mail3.mydomain.net/ssl.key
}
local_name mydomain.com {
ssl_cert = </home/mydomcom/ssl.cert
ssl_key = </home/mydomcom/ssl.key
}
local_name www.mydomain.com {
ssl_cert = </home/mydomcom/ssl.cert
ssl_key = </home/mydomcom/ssl.key
}
local_name mail.mydomain.com {
ssl_cert = </home/mydomcom/ssl.cert
ssl_key = </home/mydomcom/ssl.key
}
local_name one.com {
ssl_cert = </home/onecom/ssl.cert
ssl_key = </home/onecom/ssl.key
}
local_name www.one.com {
ssl_cert = </home/onecom/ssl.cert
ssl_key = </home/onecom/ssl.key
}
local_name mail.one.com {
ssl_cert = </home/onecom/ssl.cert
ssl_key = </home/onecom/ssl.key
}
local_name two.com {
ssl_cert = </home/twocom/ssl.cert
ssl_key = </home/twocom/ssl.key
}
local_name www.two.com {
ssl_cert = </home/twocom/ssl.cert
ssl_key = </home/twocom/ssl.key
}
local_name mail.two.com {
ssl_cert = </home/twocom/ssl.cert
ssl_key = </home/twocom/ssl.key
}
local_name three.com {
ssl_cert = </home/threecom/ssl.cert
ssl_key = </home/threecom/ssl.key
}
local_name www.three.com {
ssl_cert = </home/threecom/ssl.cert
ssl_key = </home/threecom/ssl.key
}
local_name mail.three.com {
ssl_cert = </home/threecom/ssl.cert
ssl_key = </home/threecom/ssl.key
}
It looks like Dovecot might be using the individual SSL certificates for each of the domains. Now for Postfix, I do not get the same results. If I press the “Copy to Postfix” button, for virtual server two.com then Postfix uses that SSL certificate for all accounts. Then I get an error message in the mail client (ie: thunderbird, outlook, etc.) that the certificate is for the wrong site.
4.) In the off chance that I click the “Copy to Postfix” or “Copy to Dovecot” button is there a way to undo that?
Joe: Not automatically, no. You could back them up manually before-hand. But, you shouldn’t need to. A self-signed certificate has no value…don’t worry about replacing it.
Samrich: Ok.