Vesta: Feature Request - SSL Certificates per domain in Exim and Dovecot

Created on 9 Jun 2017  路  9Comments  路  Source: serghey-rodin/vesta

Feature Request

Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.

But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).

I was researching about this topic and here are some notes that could be used.

1. Dovecot mutiple SSL certificates can be used in config:

local_name mail.example.com {
  ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt
  ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key
}

local_name mail.example2.com {
  ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt
  ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key
}

2. Exim multiple SSL Certificates with SNI in config:

tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}}
tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}

Basically if _/usr/local/vesta/data/ssl_pool/example.com.key_ and _/usr/local/vesta/data/ssl_pool/example.com.pem_ exists will use those certificates, if not will use default vesta certificate _(/usr/local/vesta/ssl/certificate.crt)_.

Note: I used _ssl_pool_ folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.

$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni

If you have another idea throw it :)

Regards!

Most helpful comment

Any updates about this? I鈥檓 looking for a way to certify every mail.{domain}.com on my server

All 9 comments

This will be very nice for mail ssl support

Hi, any news about this feature ?

1317 will be an optional, otherwise if that isn't enabled we could add this as default?

Solution for different SSL per IP address (which is probably better solution):
https://help.directadmin.com/item.php?id=388
https://help.directadmin.com/item.php?id=389

I think Mail SSL (exim + dovecot) for every domain should be default (at least for the DNS record mail.example.com), when the domain is created with Mail Support (check box on GUI when creating new domain), or when we add support for Mail in an already existing domain.
Looking forward to seeing it implemented.

Any updates about this? I鈥檓 looking for a way to certify every mail.{domain}.com on my server

Two years has past, and it seems that nothing moves....
Too bad for a Control Panel that claims to be multi-domain !

Feature Request

Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.

But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).

I was researching about this topic and here are some notes that could be used.

1. Dovecot mutiple SSL certificates can be used in config:

local_name mail.example.com {
  ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt
  ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key
}

local_name mail.example2.com {
  ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt
  ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key
}

2. Exim multiple SSL Certificates with SNI in config:

tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}}
tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}

Basically if _/usr/local/vesta/data/ssl_pool/example.com.key_ and _/usr/local/vesta/data/ssl_pool/example.com.pem_ exists will use those certificates, if not will use default vesta certificate _(/usr/local/vesta/ssl/certificate.crt)_.

Note: I used _ssl_pool_ folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.

$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni

If you have another idea throw it :)

Regards!

Hi!
Which data should I use to config thunderbird, for example?
My scenario is: I have a single IP/host with many clients domains inside it.
client domain DNS config: https://prnt.sc/r10i31 (is it right?)

incoming: imap
server hosname: should it be ServerName (mail.xxx.com) or ClientDomain (mail.ClientDomain.com)?
port: 143
SSL: STARTTLS
Authentication: normal password?

I'm using ServerName as imap/smtp

Was this page helpful?
0 / 5 - 0 ratings

Related issues

tlcd96 picture tlcd96  路  5Comments

cakama3a picture cakama3a  路  5Comments

crackdepirate picture crackdepirate  路  6Comments

ssd-disclosure picture ssd-disclosure  路  5Comments

BukinPK picture BukinPK  路  5Comments