[BlueOnyx:23991] Re: 5210R Updates: Postfix, SNI for Email and Maildir

f.kaegi at fairtalk.com f.kaegi at fairtalk.com
Sun Jun 14 17:11:10 -05 2020


Thanks Michael

>> But if you use Let's Encrypt this is very easy to solve: In the GUI go to
the Vsite in question. Go to "Services" / "Web" of that Vsite and make sure
that "Web Server Aliases" has all the aliases you want. Make sure to have
DNS A records for all of them.

Is it required that the DNS records are on the 5210R server? We have all our
DNS Zones on the Google Cloud DNS server.

Best regards
Felix

-----Original Message-----
From: Blueonyx <blueonyx-bounces at mail.blueonyx.it> On Behalf Of Michael
Stauber
Sent: Saturday, 13 June 2020 18:32
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:23987] Re: 5210R Updates: Postfix, SNI for Email and
Maildir

Hi Felix,

> What do I need to do now to ensure that the users do not continue to 
> see "Internet Security Warning - The server you are connected to is 
> using a security certificate that cannot be verified. The target 
> principal name is incorrect."?
> 
> Should mail.Vsite be part of the web and/or email alias list before 
> issuing the Let's Encrypt certificate?

Dovecot and Postfix will use the SSL-certificates of the GUI and all Vsites.
So they will do SNI for every domain that all certificates are valid for.

If you have an SSL certificate for Vsite www.company.com that is only valid
for "www.company.com" and "company.com", then a user will still get a
certificate warning if he connects to any alias of that Vsite which the SSL
certificate doesn't cover. Such as mail.company.com for example.

But if you use Let's Encrypt this is very easy to solve: In the GUI go to
the Vsite in question. Go to "Services" / "Web" of that Vsite and make sure
that "Web Server Aliases" has all the aliases you want. Make sure to have
DNS A records for all of them.

Then click on "SSL" in the menu, click on the button "Let's Encrypt". If a
Vsite has at least one alias, you will see "SSL domain aliases" on that
page. It has two columns.

Move all Aliases that should be included in the SSL certificate request to
the left side.

That will then generate an SSL certificate that is valid for not only for
the FQDN of the Vsite, but for all Web Server Aliases as well.

You can also check /etc/postfix/vsite_ssl.map, as it will show all domain
names and aliases that Postfix will answer for with certificates.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx



More information about the Blueonyx mailing list