[BlueOnyx:26098] Re: Best way to have users securely fetch and send e-mail

Taco Scargo taco at blueonyx.nl
Mon Apr 10 13:07:15 -05 2023 

Hi Michael,

Thanks for the warm welcome back.
As you might have seen from my previous e-mail I discovered some of your very clear instructions myself, before reading your mail.

Nice to see it has progressed so much lately.

I will be indeed migrating from 5209R and wanted to see how I can make it as flawless as possible.
Initially I wanted to do the migration per site, but maybe a big-bang scenario is best with some announced downtime.
At least I can then retain the hostname as now all users use the server hostname to receive and send e-mail.

Thanks again!

Taco

> On 10 Apr 2023, at 17:55, Michael Stauber <mstauber at blueonyx.it> wrote:
> 
> Hi Taco,
> 
> Nice to hear from you again! Hope you're doing well.
> 
>> I have been thinking about including all the mail.* hostnames in the ’server’ certificate, but LE certificates can only hold up to 100 hostnames, so on servers with more than 100 domains/vhosts, this approach does not work well.
> 
> Yeah, this has its limits and it's better to do it "the right way". As Chris mentioned: BlueOnyx 5210R and 5211R support SNI for email out of the box.
> 
> So here is how to do it right on a 5210R or 5211R:
> 
> In "Server Management" / "Network Services" / "Email" switch your BlueOnyx to "Postfix" instead of Sendmail, as Sendmail doesn't support SNI, but Postfix does.
> 
> Now I'm stating the obvious: Have "Enable SMTPS Server", "Enable IMAPS Server" and "Enable POPS Server" ticked to allow access to email via SSL.
> 
> Have an SSL certificate for the GUI under "Server Management" / "Security" / SSL.
> 
> Under "Server Management" / "Maintenance" / "Server Desktop" configure this:
> 
> GUI access protocols: "HTTPS only"
> 
> Redirect to Server-Name: Ticked
> 
> This makes sure that if someone uses http(s)://<vsite-domain/login he's redirected to https://<server-name>:81/login without any certificate mismatch.
> 
> Make sure all Vsites that you want to use Email via SSL on have their own SSL certificate.
> 
> That way Postfix and Dovecot will use multiple individual SSL certificates: The GUI's certificate and all certificates of all Vsites that have SSL enabled and working. If you use LE certificates, you can also have validity of said certificate for all Web- and Email Server Aliases that the domain has assigned.
> 
> If a Vsite does not have an SSL certificate and is accessed by domain via one SSL, it will fall back to using the GUI certificate and you get the SSL certificate mismatch. But for anything else it'll just use the right cert and there will be no mismatch.
> 
> This is explained in more detail here:
> 
> https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-email-and-Maildir/
> 
> https://www.blueonyx.it/news/266/15/5209R5210R-SNI-support-added-to-Dovecot/
> 
> Since January this year 5210R and 5211R now also have OpenDKIM support built right into the GUI:
> 
> https://www.blueonyx.it/news/315/15/BlueOnyx-5211R-OpenDKIM-support-updated/
> 
> Plus the DNS management for TXT records has an SPF wizard, so you can also easily generate SPF TXT records.
> 
> In case you're still on 5209R and consider migrating to 5210R or go straight to 5211R (much recommended!), then forget about CMU. We now have "Easy Migrate" as a replacement and it works much better:
> 
> https://www.blueonyx.it/easy-migrate
> 
> In any case: Glad to have you back and if you have any questions or suggestions? You're always welcome to ask - either here or offlist.
> 
> -- 
> With best regards
> 
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list