[BlueOnyx:26095] Re: Best way to have users securely fetch and send e-mail
Michael Stauber
mstauber at blueonyx.it
Mon Apr 10 10:55:39 -05 2023
Hi Taco,
Nice to hear from you again! Hope you're doing well.
> I have been thinking about including all the mail.* hostnames in the
> ’server’ certificate, but LE certificates can only hold up to 100
> hostnames, so on servers with more than 100 domains/vhosts, this
> approach does not work well.
Yeah, this has its limits and it's better to do it "the right way". As
Chris mentioned: BlueOnyx 5210R and 5211R support SNI for email out of
the box.
So here is how to do it right on a 5210R or 5211R:
In "Server Management" / "Network Services" / "Email" switch your
BlueOnyx to "Postfix" instead of Sendmail, as Sendmail doesn't support
SNI, but Postfix does.
Now I'm stating the obvious: Have "Enable SMTPS Server", "Enable IMAPS
Server" and "Enable POPS Server" ticked to allow access to email via SSL.
Have an SSL certificate for the GUI under "Server Management" /
"Security" / SSL.
Under "Server Management" / "Maintenance" / "Server Desktop" configure this:
GUI access protocols: "HTTPS only"
Redirect to Server-Name: Ticked
This makes sure that if someone uses http(s)://<vsite-domain/login he's
redirected to https://<server-name>:81/login without any certificate
mismatch.
Make sure all Vsites that you want to use Email via SSL on have their
own SSL certificate.
That way Postfix and Dovecot will use multiple individual SSL
certificates: The GUI's certificate and all certificates of all Vsites
that have SSL enabled and working. If you use LE certificates, you can
also have validity of said certificate for all Web- and Email Server
Aliases that the domain has assigned.
If a Vsite does not have an SSL certificate and is accessed by domain
via one SSL, it will fall back to using the GUI certificate and you get
the SSL certificate mismatch. But for anything else it'll just use the
right cert and there will be no mismatch.
This is explained in more detail here:
https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-email-and-Maildir/
https://www.blueonyx.it/news/266/15/5209R5210R-SNI-support-added-to-Dovecot/
Since January this year 5210R and 5211R now also have OpenDKIM support
built right into the GUI:
https://www.blueonyx.it/news/315/15/BlueOnyx-5211R-OpenDKIM-support-updated/
Plus the DNS management for TXT records has an SPF wizard, so you can
also easily generate SPF TXT records.
In case you're still on 5209R and consider migrating to 5210R or go
straight to 5211R (much recommended!), then forget about CMU. We now
have "Easy Migrate" as a replacement and it works much better:
https://www.blueonyx.it/easy-migrate
In any case: Glad to have you back and if you have any questions or
suggestions? You're always welcome to ask - either here or offlist.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list