Updated on 17 March 2020: Updated original documentation to include information from this thread -> https://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/
In line with this post:
https://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/
And this:
http://techslides.com/mail-server-for-multiple-domains-with-postfix
... I am trying to set up Postfix to allow multiple domain names and SSLs for the incoming mail server.
The issue arises when I try testing a secondary domain with this service:
https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=mail.secondarydomain.com
Unfortunately, it only defaults to my server's main mail server's SSL (mail.maindomain.com) and I would like it to switch to the appropriate one so the SSL certificate match-up test passes. What is considered best practice to do this with CyberPanel?
Comments
https://serverfault.com/a/996358
http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029
http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
http://www.postfix.org/postconf.5.html#smtp_tls_key_file
http://www.postfix.org/postconf.5.html#smtp_tls_chain_files
http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029
I no longer have to use a custom MX record with my secondary domain!
---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
---
Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:
---
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
---
Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.
Step 4: Run systemctl restart postfix.
Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp
I tried with 2 setup 1 fresh the other on my production server.
1. Fresh server even though I created Mail and normal ssl folder for /etc/letsencrypt/live/ is empty.
2. For production server I dont have any folder for mail.xxx its only for main domains.
Do you have any idea what went wrong with my setup ? or how can I fix ?
Thanks!
CyberPanel
Blog
Then followed by the end and all worked fine with the code you provided as well SSL handshake made without any issues.
Then I tried to add it to outlook. Unfortunatelly mail.xxx couldnt create an SSL connection. The certificate still shows as original mail server primary domain.
Can you try to connect via outlook etc with ssl and let me know if it works ?
Many thanks in advance!
For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.
Sent you a message on CP Slack.
I just tested below 2 comment wasnt commented out after upgrade, the rest was ok.
---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
Also primary domain ssl wasnt registered on /etc/postfix/vmail_ssl.map as @Hifihedgehog mentioned.
However even after I followed exactly as mentioned, I cant connect with outlook or any othersoftware.
What I did:
I created 2 domains (a.com b.com)
Created SSL for a.com and mailserver ssl for mail.a.com
Restarted vm.
Tried to login using outlook it with mailserver mail.b.com. SSL couldnt found.
Generated MAIL ssl for mail.b.com then it worked ofcourse.
Then I generated again for mail.a.com then it stopped working again for mail.b.com.
Seems like original cyberpanel setup no changes.
Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.
Thank you!
> I am going to read through your efforts now, thanks.
You're welcome! Sorry for missing your replies on Slack. Glad it seems to have worked out well!
> Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.
>
> Thank you!
>
>
Yes, it does. Confirmed with both Outlook desktop (Windows) and Outlook mobile (iOS).
> @Hifihedgehog this step goes for mail.domain.com or the actual top level domain such as domain.com ?
>
> For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.
Yep, I used the mail. subdomain. :)
You are getting an insecure message because your server is failing to pick up the certificates for one reason or another. Some possibilities:
1. You don't have this correct in your Postfix main.cf configuration file:
> # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>
> # provide the primary certificate for the server, to be used for outgoing connections
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
2. You need to renew your mail server SSL certificate because either (a) you made too many renewal requests and therefore you are locked out and will have to wait a couple days before being able or (b) it is outdated.
I have a suggestion - I talked about that on discord too
add context-wrapper to child-domain OR make it dedicated to mail domains
something like this:
#add context rule to any mail child-domain (under VH_ROOT)
context /.well-known-wrapper {
location $VH_ROOT/.well-known-wrapper
allowBrowse 1
}
#point the verification to the virtual place
./acme.sh --issue -d mail.example.com -w /home/example.com/.well-known-wrapper
done. we have ssl verification without sub-folder under public_html
> Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:
>
> ---
> # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>
> # provide the primary certificate for the server, to be used for outgoing connections
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
>
> # provide the map to be used when SNI support is enabled
> tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
> ---
>
> Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:
>
> ---
> # Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
> # One host per line
> mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
> mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
> # add more domains with keys and certs as needed
> ---
>
> Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.
>
> Step 4: Run systemctl restart postfix.
>
> Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp
im getting example.com domains from ssl check
> That means you did not select each of the domains in CyberPanel and generate an SSL certificate for those mail domains. That, or you tried regenerating the SSL certificate so many times that you are blocked out since you hit the renewal request quota, in which case you would have to wait.
I solved that issue of generating ssl, my ssl is being shown rn but i still get ssl error for smtp i suppose for secondary domains.
My dovecot is:
local_name mail.s.com {
ssl_cert = </etc/letsencrypt/live/mail.s.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.s.com/privkey.pem
}
local_name mail.a.com.tr {
ssl_cert = </etc/letsencrypt/live/mail.a.com.tr/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.a.com.tr/privkey.pem
}
local_name mail.y.com {
ssl_cert = </etc/letsencrypt/live/mail.y.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.y.com/privkey.pem
}
My postfix vmail is
mail.y.com /etc/letsencrypt/live/mail.y.com/privkey.pem /etc/letsencrypt/live/mail.y.com/fullchain.pem
mail.s.com /etc/letsencrypt/live/mail.s.com/privkey.pem /etc/letsencrypt/live/mail.s.com/fullchain.pem
mail.a.com.tr /etc/letsencrypt/live/mail.a.com.tr/privkey.pem /etc/letsencrypt/live/mail.a.com.tr/fullchain.pem
my main.cf is
smtpd_use_tls = yes
#smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
#smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.y.com/privkey.pem,
/etc/letsencrypt/live/mail.y.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
configured like this. I generated ssl and mailserver ssl for mail.y.com from panel and checked the ssl certs.
used postmap -F hash:/etc/postfix/vmail_ssl.map , systemctl restart postfix and systemctl restart dovecot without errors.
Nothing wrong with certifications but i still get error on gmail mobile. If youre willing to take a look at cfgs i can hand them over. This mail problem hurts my head so much last few days ...
Also added note on top of this thread.