Let’s Encrypt SSL certificates for Postfix Mail Domains in ISPConfig

Let’s Encrypt SSL certificates for different mail domains in ISPConfig

Having real SSL certificates to be used as mail domain for Postfix and dovecot in ISPConfig, is quite a good discussed topic at the moment.

Today I had quite a interesting thought how this could be done. The solution I have in mind, will work without any doubt, but it has it’s downside.

According to a description in one of my older posts, ispconfig 3.1 + Lets Encrypt + Postfix / Dovecot + PureFTPD in english we can take advantage of the fact, that ISPConfig is just setting symlinks on certificates in the web directory and then just fires up a cron to renew your certificates.

In case your configuration looks like I did describe it in the blog post mentioned above, then it will be quite a easy thing. But first let me describe my theories.

What happens in the background?

What ISPConig does, when you setup a new site, is to request a SSL certificate via the Let’s Encrypt bot. In case your domain A and AAAA records are all in place, the certificate will be issued, and you can access this site from https. ISPConfig check in the background whether the certificate has been issued by Let’s Encrypt or not and in case all things went fine, ISPConfig places a symbolic link from /etc/letsencrypt/live/your-domain.tld/cert… to /var/www/your-domain.tld/ssl/cert…, changes the configuration in the Apache vhost configuration and restarts / reloads your web server.

I have taken advantage of this method to have the ISPConfig Interface, Postfix, Dovecot and PureFTPD deliver a valid SSL certificate. To get this done, you just need to create a site with your hostname in ISPConfig to get a Let’s Encrypt SSL certificate and then you can use that one and ISPConfig will take care of it’s renewal etc.

Here is the Idea

The fact that one can also create alias domains in ISPConfig, will lead you to the fact that ISPConfig will then request for a certificate for both domains. In case all DNS records are correct, you will get a valid certificate for both domains. Now, does that ring a bell? No? Well, then continue reading.

To get a valid certificate for your Hostname, you just create a site for your Hostname in ISPConfig and then you place the symlinks, just as I described in the blog post mentioned above. So when you open your ISPConfig Interface, it will deliver the real certificate. For example, host.your-domain.tld

Now a client of yours tells you, that he wants to be able to use place mail.client-a.com in his mail client settings, without being bothered with a SSL certificate warning. To get this done, you can set his mail.client-a.com as a alias domain of host.your-domain.tld. It could be looking like this one:

  • Domain: mail.client-a.com
  • Parent Website: host.your-domain.tld
  • Redirect Type: No redirect
  • Redirect Path: (empty)
  • Auto-Subdomain: None
  • SEO Redirect: No redirect

Now click on save. In case your client has correctly set his DNS A and AAAA records for his mail.client-a.com subdomain, his subdomain will be added to the certificate you have for your hostname. And because Postfix and Dovecot use the very same certificate, it will be delivered with this domains:

  • host.your-domain.tld
  • mail.client-a.com

and your client can enter his mail.client-a.domain in his Outlook, Thunderbird, Android or any other client, and will not get a warning message anymore.

The downside of doing it that way

The problem I see with this, is almost jumping right into your face. Exactly. In case you have like 20 clients, and you have setup them all with the method above, that one certificate will deliver all of these domain names. The problem with it is, that all clients can see whom else you are hosting on your server. But clients can also see what other clients are there. And all this is, IMHO a huge privacy issue. I also think, that clients should not just know, or have a list of whom else you are hosting on your machines.

Myself, I would not do it. How is it with you? Would your clients allow that? Let me know in the comments, via Twitter or Facebook what you think about it.

Leave a Reply

Your email address will not be published. Required fields are marked *