Partially out of curiosity, and partially so that users would not need to change their settings if SMTP, IMAP, and web-based email access were ever delegated to different servers, I’d like to use different domain names for SMTP and IMAP access.
I’m able to get, let’s say, 99% of the way there by simply setting up email aliases for administrator@smtp.<domain> and administrator@imap.<domain> to administrator@mail.<domain>. (Creating these administrator aliases even creates the default abuse, admin, and postmaster aliases, which is nifty.) I’m able to then setup Let’s Encrypt certificates for each domain, but it appears these are only used for HTTP access.
What I see is that postfix and dovecot use the certificate /home/user-data/ssl/ssl_certificate.pem, which is an alias for /home/user-data/ssl/mail.<domain>-<expiration>.pem. This certificate, as the name implies, is only good for mail.<domain>, not smtp.<domain> or imap.<domain>.
It would be good enough for MIAB to simply generate a single certificate covering all three domains. (This is what I expected; given the rate limiting on Let’s Encrypt, I was surprised MIAB didn’t group the domains automatically.) It would be slightly better, though probably more complicated than it’s worth, to use each certificate for its intended use. (i.e. smtp.<domain> for mail submission and imap.<domain> for, obviously, IMAP).
Has anyone set something like this up? (Is it even possible without modifications to the MIAB scripts?)
This is because it is supposed to be even more simple than that, if your server also hosts the web site for your domain, you can use either mail.example.comORexample.com.
For the wildcard cert question: Mail in a box uses Let’s Encrypt, which only just started allowing wildcard certs to be generated this month.
Mail in the box also was not intended to be used in the way you describe. just use mail.example.com as your SMTP & IMAP servers, those would never ever change even when hosting the web services somewhere else.
With the aliases from administrator@smtp.<domain> and administrator@imap.<domain> to administrator@mail.<domain>, MIAB knows it’s hosting those domains and automatically obtains the appropriate certificates via Let’s Encrypt. The problem is, they’re only used for the web server. MIAB obtains separate certificates for each domain, and Postfix and Dovecot point at /home/user-data/ssl/ssl_certificate.pem, which is only valid for the box’s primary hostname, mail.<domain>.
I certainly don’t need a wildcard certificate. Let’s Encrypt will sign certificates with up to 100 names as long as they all verify. Since this still counts as only one of the 20 weekly requests allowed per domain, I was somewhat surprised to discover this wasn’t the default behavior (as opposed to obtaining separate certificates per domain). It would actually be sufficient in my case (perhaps even better) to keep the separate certificates and just point Postfix and Dovecot at the appropriate ones, but this is definitely beyond what I would expect MIAB to offer.
I understand MIAB will always host everything under one box. My concern is about smoothing the transition to something else, should it be necessary in the future. Better to have everything point at separate domains now than deal with the fallout of having to change settings on potentially 100s of devices later. (I suppose there are ways around this, of course.)
I went back to the single domain setup for the moment. (I’m still undecided on whether multiple domains are worth the trouble, assuming there’s actually a way to run MIAB in that configuration.)
What would you like to test? I’ll set things up again and PM you the domains.