Feature Request
Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.
But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).
I was researching about this topic and here are some notes that could be used.
1. Dovecot mutiple SSL certificates can be used in config:
local_name mail.example.com {
ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt
ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key
}
local_name mail.example2.com {
ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt
ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key
}
2. Exim multiple SSL Certificates with SNI in config:
tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}}
tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}
Basically if _/usr/local/vesta/data/ssl_pool/example.com.key_ and _/usr/local/vesta/data/ssl_pool/example.com.pem_ exists will use those certificates, if not will use default vesta certificate _(/usr/local/vesta/ssl/certificate.crt)_.
Note: I used _ssl_pool_ folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.
$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni
If you have another idea throw it :)
Regards!
This will be very nice for mail ssl support
Hi, any news about this feature ?
Solution for different SSL per IP address (which is probably better solution):
https://help.directadmin.com/item.php?id=388
https://help.directadmin.com/item.php?id=389
I think Mail SSL (exim + dovecot) for every domain should be default (at least for the DNS record mail.example.com), when the domain is created with Mail Support (check box on GUI when creating new domain), or when we add support for Mail in an already existing domain.
Looking forward to seeing it implemented.
Any updates about this? I鈥檓 looking for a way to certify every mail.{domain}.com on my server
Two years has past, and it seems that nothing moves....
Too bad for a Control Panel that claims to be multi-domain !
Feature Request
Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.
But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).
I was researching about this topic and here are some notes that could be used.
1. Dovecot mutiple SSL certificates can be used in config:
local_name mail.example.com { ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key } local_name mail.example2.com { ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key }2. Exim multiple SSL Certificates with SNI in config:
tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}} tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}Basically if _/usr/local/vesta/data/ssl_pool/example.com.key_ and _/usr/local/vesta/data/ssl_pool/example.com.pem_ exists will use those certificates, if not will use default vesta certificate _(/usr/local/vesta/ssl/certificate.crt)_.
Note: I used _ssl_pool_ folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.
$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni
If you have another idea throw it :)
Regards!
Hi!
Which data should I use to config thunderbird, for example?
My scenario is: I have a single IP/host with many clients domains inside it.
client domain DNS config: https://prnt.sc/r10i31 (is it right?)
incoming: imap
server hosname: should it be ServerName (mail.xxx.com) or ClientDomain (mail.ClientDomain.com)?
port: 143
SSL: STARTTLS
Authentication: normal password?
I'm using ServerName as imap/smtp
Most helpful comment
Any updates about this? I鈥檓 looking for a way to certify every mail.{domain}.com on my server