Separate domain for SMTP? (Certificate invalid.)

Partially out of curiosity, and partially so that users would not need to change their settings if SMTP, IMAP, and web-based email access were ever delegated to different servers, I’d like to use different domain names for SMTP and IMAP access.

I’m able to get, let’s say, 99% of the way there by simply setting up email aliases for administrator@smtp.<domain> and administrator@imap.<domain> to administrator@mail.<domain>. (Creating these administrator aliases even creates the default abuse, admin, and postmaster aliases, which is nifty.) I’m able to then setup Let’s Encrypt certificates for each domain, but it appears these are only used for HTTP access.

What I see is that postfix and dovecot use the certificate /home/user-data/ssl/ssl_certificate.pem, which is an alias for /home/user-data/ssl/mail.<domain>-<expiration>.pem. This certificate, as the name implies, is only good for mail.<domain>, not smtp.<domain> or imap.<domain>.

It would be good enough for MIAB to simply generate a single certificate covering all three domains. (This is what I expected; given the rate limiting on Let’s Encrypt, I was surprised MIAB didn’t group the domains automatically.) It would be slightly better, though probably more complicated than it’s worth, to use each certificate for its intended use. (i.e. smtp.<domain> for mail submission and imap.<domain> for, obviously, IMAP).

Has anyone set something like this up? (Is it even possible without modifications to the MIAB scripts?)

when you get SSL cert using the admin panel it will only use that SSL cert for sites hosted by mail in a box.

Some example, Let’s use my web site,

  • domain is hosted by Mail in a box (both web and email)
  • for webmail
  • for smtp/imap/activesync

Now for another site,

  • domain is NOT hosted by mailinabox, but email goes there
  • cannot be used for webmail, users must use the FQDN of mail in a box.
  • in a box server) can be used as the SMTP/IMAP/ActiveSync server when setting up mail.

Now for your other questions: Mail in a box will only generate SSL certs for domains it manages AND hosts.

So: => Gets SSL => NO SSL => NO SSL

This is because it is supposed to be even more simple than that, if your server also hosts the web site for your domain, you can use either OR

For the wildcard cert question: Mail in a box uses Let’s Encrypt, which only just started allowing wildcard certs to be generated this month.

Mail in the box also was not intended to be used in the way you describe. just use as your SMTP & IMAP servers, those would never ever change even when hosting the web services somewhere else.

With the aliases from administrator@smtp.<domain> and administrator@imap.<domain> to administrator@mail.<domain>, MIAB knows it’s hosting those domains and automatically obtains the appropriate certificates via Let’s Encrypt. The problem is, they’re only used for the web server. MIAB obtains separate certificates for each domain, and Postfix and Dovecot point at /home/user-data/ssl/ssl_certificate.pem, which is only valid for the box’s primary hostname, mail.<domain>.

I certainly don’t need a wildcard certificate. Let’s Encrypt will sign certificates with up to 100 names as long as they all verify. Since this still counts as only one of the 20 weekly requests allowed per domain, I was somewhat surprised to discover this wasn’t the default behavior (as opposed to obtaining separate certificates per domain). It would actually be sufficient in my case (perhaps even better) to keep the separate certificates and just point Postfix and Dovecot at the appropriate ones, but this is definitely beyond what I would expect MIAB to offer.

I understand MIAB will always host everything under one box. My concern is about smoothing the transition to something else, should it be necessary in the future. Better to have everything point at separate domains now than deal with the fallout of having to change settings on potentially 100s of devices later. (I suppose there are ways around this, of course.)

Can you private message me? I want to run some tests to those domains you are talking of.

I went back to the single domain setup for the moment. (I’m still undecided on whether multiple domains are worth the trouble, assuming there’s actually a way to run MIAB in that configuration.)

What would you like to test? I’ll set things up again and PM you the domains.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.