[BlueOnyx:23987] Re: 5210R Updates: Postfix, SNI for Email and Maildir

[Michael Stauber]

Hi Felix,

> What do I need to do now to ensure that the users do not continue to see
> "Internet Security Warning - The server you are connected to is using a
> security certificate that cannot be verified. The target principal name is
> incorrect."?
> 
> Should mail.Vsite be part of the web and/or email alias list before issuing
> the Let's Encrypt certificate?

Dovecot and Postfix will use the SSL-certificates of the GUI and all
Vsites. So they will do SNI for every domain that all certificates are
valid for.

If you have an SSL certificate for Vsite www.company.com that is only
valid for "www.company.com" and "company.com", then a user will still
get a certificate warning if he connects to any alias of that Vsite
which the SSL certificate doesn't cover. Such as mail.company.com for
example.

But if you use Let's Encrypt this is very easy to solve: In the GUI go
to the Vsite in question. Go to "Services" / "Web" of that Vsite and
make sure that "Web Server Aliases" has all the aliases you want. Make
sure to have DNS A records for all of them.

Then click on "SSL" in the menu, click on the button "Let's Encrypt". If
a Vsite has at least one alias, you will see "SSL domain aliases" on
that page. It has two columns.

Move all Aliases that should be included in the SSL certificate request
to the left side.

That will then generate an SSL certificate that is valid for not only
for the FQDN of the Vsite, but for all Web Server Aliases as well.

You can also check /etc/postfix/vsite_ssl.map, as it will show all
domain names and aliases that Postfix will answer for with certificates.

-- 
With best regards

Michael Stauber