2014 06 03 17 17 47 Sirolo

Monte Conero 1920x512

Monte Conero 1920x512

LetsEncrypt With Multiple Virtual Email Domains

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active
 

{jcomments off}

If you are using LetsEncrypt to secure a mailserver with multiple domains you will have found that all domains must send their mail from the server's domain rather than their own in order to use TLS. This occurs because postscript can only use a single domain for TLS/SSL.

In this post I will describe a method to centralize the TLS certificate in a way that allows each domain to use its own domain name for smtp.

 I make the following assumptions about the setupto be used:

  • The site manager is Virtualmin or Webmin
  • The web server is Apache (needed to fetch the certificate) with mod_rewrite enabled
  • You have access to either the configuration files for each domain or to its .htaccess file
  • The mail server is Postscript

I shall use the fictitious server example.com with third-level domains mail and www. The virtual servers are first.org and second.net with the same mail and www third-level names. All reside on the equally fictitious ip 12.34.56.78.

When you request a certificate for a domain from LetsEncrypt it attempts to place a small randomly-named file eg: UKEcqpw7KO8N3b7TEiVQaoKXALlDv5F4CJF0QuEw27Q in the root directory of that domain at .well-known/acme-challenge/UKEcqpw7KO8N3b7TEiVQaoKXALlDv5F4CJF0QuEw27Q. It then tries to read it back from the same address and compare it with the original. Normally we would request a certificate for each third-level domain, including mail and it should work.

Unfortunately, postscript can only recognise a single certificate so when we call mail.first.org its certificate is compared to that of mail.example.com and reports an error. This can easily be solved by requesting a certificate for mail.example.com, mail.first.org and mail.second.net so that they all access the same certificate; however, LetsEncrypt only writes its file to the first-named domain and when it tries to read from the second and third domains listed it fails.

We can solve this dilemma using Apache's mod_rewrite directive; first we make mail.example.com the base for all mail certificates, then re-route requests for mail.first.org and mail.second.net to mail.example.com. In this way LetsEncrypt can always find its check file.

The following snippet can be placed in either the .htaccess file in the root directory of each domain or, better, in their respective configuration files.

Note: from Apache HTTP Server Tutorial: .htaccess files

You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directoryblock, as it will have the same effect with better performance.

 So for all virtual mail servers:

  • ...
  • # Send all requests for mail to main server
  • RewriteEngine On

    RewriteCond %{HTTP_HOST} ^mail. [NC]
    RewriteRule ^(.*)$ http://example.com/$1 [L]
  • ...

 

This takes any request for a third-level domain name of mail, and only mail, and routes it to our main server. Now our users can use their own mailserver domain to send secure email.

 

{jcomments on}