vesta
vesta copied to clipboard
serghey-rodin
Feature Request - SSL Certificates per domain in Exim and Dovecot
Feature Request
Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.
But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).
I was researching about this topic and here are some notes that could be used.
1. Dovecot mutiple SSL certificates can be used in config:
local_name mail.example.com {
ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt
ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key
}
local_name mail.example2.com {
ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt
ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key
}
2. Exim multiple SSL Certificates with SNI in config:
tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}}
tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}
Basically if /usr/local/vesta/data/ssl_pool/example.com.key and /usr/local/vesta/data/ssl_pool/example.com.pem exists will use those certificates, if not will use default vesta certificate (/usr/local/vesta/ssl/certificate.crt).
Note: I used ssl_pool folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.
$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni
If you have another idea throw it :)
Regards!
#1317 will be an optional, otherwise if that isn't enabled we could add this as default?
Solution for different SSL per IP address (which is probably better solution): https://help.directadmin.com/item.php?id=388 https://help.directadmin.com/item.php?id=389
I think Mail SSL (exim + dovecot) for every domain should be default (at least for the DNS record mail.example.com), when the domain is created with Mail Support (check box on GUI when creating new domain), or when we add support for Mail in an already existing domain. Looking forward to seeing it implemented.
Any updates about this? I’m looking for a way to certify every mail.{domain}.com on my server
Two years has past, and it seems that nothing moves.... Too bad for a Control Panel that claims to be multi-domain !
Help for the developers:
- https://www.bynicolas.com/server/exim-multi-domain-dkim-custom-selector/
- https://www.ryanschulze.net/archives/1728
Feature Request
Hi guys, as you may know exim4 and dovecot uses the default ssl generated certificate, and if using letsencrypt you can configure both to use it.
But will be nice if every domain uses its own ssl certificate, so this way users can avoid the certificate mismatch warning from mail clients (Outlook, Thunderbird, etc).
I was researching about this topic and here are some notes that could be used.
1. Dovecot mutiple SSL certificates can be used in config:
local_name mail.example.com { ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example.com.crt ssl_key = </usr/local/vesta/data/ssl_pool/mail.example.com.key } local_name mail.example2.com { ssl_cert = </usr/local/vesta/data/ssl_pool/mail.example2.com.crt ssl_key = </usr/local/vesta/data/ssl_pool/mail.example2.com.key }2. Exim multiple SSL Certificates with SNI in config:
tls_privatekey = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/data/ssl_pool/${tls_sni}.key}{/usr/local/vesta/ssl/certificate.crt}} tls_certificate = ${if exists{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/data/ssl_pool/${tls_sni}.pem}{/usr/local/vesta/ssl/certificate.crt}}Basically if /usr/local/vesta/data/ssl_pool/example.com.key and /usr/local/vesta/data/ssl_pool/example.com.pem exists will use those certificates, if not will use default vesta certificate (/usr/local/vesta/ssl/certificate.crt).
Note: I used ssl_pool folder because is more easy to modify v-add-web-domain-ssl to drop a copy of certs on that folder than trying to dynamically find the user config folder.
$tls_sni does the magic: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni
If you have another idea throw it :)
Regards!
Hi! Which data should I use to config thunderbird, for example? My scenario is: I have a single IP/host with many clients domains inside it. client domain DNS config: https://prnt.sc/r10i31 (is it right?)
incoming: imap server hosname: should it be ServerName (mail.xxx.com) or ClientDomain (mail.ClientDomain.com)? port: 143 SSL: STARTTLS Authentication: normal password?
I'm using ServerName as imap/smtp
I (almost) love VestaCP!
But please, tell me why this hasn't been implemented.. for 10 years!
Come on guys, I am noticing a horrible pattern of support with VestaCP. Called ignore unless otherwise specified. Give general answers to pawn people off until they no longer ask. Expect people to be satisfied when they have figured it out themselves.
Seriously?
I picked this up expecting things to be ready out of the box, not having to manually configure exim4 to create multiple imap and smtp. No one is even assigned to this issue, and it has been open for 5 years. And in my opinion it makes a lot of sense to implement it. But it seems the developers here don't want to lift a thumb.
Side notes, I have encountered many other concerns such as "I want to access VestaCP from port 80 or port 443, so I can login to the web panel with the domain name directly." - This causes the Nginx failed to restart, because it binds to the same port.
Basic knowledge, you can't reuse a port, I tried it myself, took me 30 minutes to realize why Vesta should run on an alternate port, because the panel cannot reuse the same port as the websites running on apache or nginx.
But not once did your team suggest that this was a possible configuration that causes a bug, over a basic implementation of the port 80.
Other issues, Cloudflare Origin SSL. Okay great, it works, but not for the panel. Cloudflare SSL is not straightforward, but the Panel is not saving and recognizing the certificate, for the panel. It's a bug, not an overly traumatizing one either, but this could be easily configured and implemented properly, if you were willing to spend the time.
For now since I can use Origin SSL with the domains, and access the Panel from IP:Port, I configured a Tor hidden service on my admin panel, and then Gave myself a Tor gateway tunnel instead, for the admin panel, and kept IP privacy from Cloudflare in place. IP:Port works great too, but we might want to give customers a login point of entry. And Cloudflare SSL would keep that private, but not for an end user (where say, I give a login panel to a subsidiary user). Thankfully I can just give them a hidden service and keep all the IP hidden, expect for MX record not being proxied.
Seriously though,
Can you please do upkeep on VestaCP. You have a very bare bones and raw setup for a web server. In fact you are steps ahead because of how well this integrates into Nginx, Apache, Exim, Dovecot, the battle is 90% done.
Exim is capable of creating HELO and separate DKIM for multiple domains. You can make dedicate SMTP out of each IP and input the PTR for the IP. If it is even any trouble and needs to go that far, because a separate DKIM and built in EXIM routing configuration, would be sufficient to creationg the vanity IMAP and SMTP people are looking for.
But if the policy is "No one cares, so why should we?" and at best "You can do it yourself if you want" after "What is your problem, well then that is your problem" with no solution given. Horrible habits of business. You are giving a product, support it. Please. I will fork this myself if I have to.
The word is "lazy". 5 years. Still open. No one assigned. Come on.
I had to change to https://hestiacp.com/ It's not perfect, but it's an updated VestaCP version
looks like this never coming into vestacp, finally moved to https://hestiacp.com/ which is very good now
