Serve certificate based on SNI

[shunkica]

Can Dovecot be configured to use the correct certificate based on SNI?

For example:

• domain1.com has MX mail.domain1.com
• domain2.com has MX mail.domain2.com

Both DNS records point to mailserver.com.

The docker-mailserver hostname is mailserver.com, but I also have Let's Encrypt certificates for mail.domain1.com and mail.domain2.com.

When I try to fetch email from mail.domain1.com or mail.domain2.com, my email client shows a warning that the server is using a certificate for mailserver.com.

I hope this is clear.

[casperklein]

Afaik only one certificate (file) can be used with DMS.

However, you can use a SAN certificate, containing all needed hostnames.

[shunkica]

This is what I ended up doing.

certbot certonly --cert-name mailserver.com -d mailserver.com -d mail.domain1.com -d mail.domain2.com

[polarathene]

Both DNS records point to mailserver.com.

The MX records point to A/AAAA records for the same zone (their domain), and those resolve to an IP for the server running DMS.

Is there a reason the MX records cannot point to a common DNS A/AAAA record that maps to DMS? If you were using a proprietary mail provider for example, you'd point your MX records to that service too.

For example, look at Github:

$ docker run --rm -it --dns 1.1.1.1 ghcr.io/natesales/q github.com MX

github.com. 1h MX 1 aspmx.l.google.com.
github.com. 1h MX 10 alt3.aspmx.l.google.com.
github.com. 1h MX 10 alt4.aspmx.l.google.com.
github.com. 1h MX 5 alt1.aspmx.l.google.com.
github.com. 1h MX 5 alt2.aspmx.l.google.com.

What is the requirement for your setup? If your server with DMS changes IP, all associated domains would need to update their records or fail to deliver mail.

You should only need one TLS cert, the one that is under your control to provision for DMS. Use the SAN approach as suggested, or if you do not own those domains then do as I've advised and configure like I just showed with Github, point MX records to the DNS domain that belongs to DMS, avoid indirection.

Dovecot does support SNI I think but DMS does not provide any means to manage that for you. You'd need to use user-patches.sh and update the config explicitly if you insist on that. You'd need the private keys for each domains TLS cert, so not much benefit vs a single cert with multiple domains (SAN) assigned which is the modern way to approach it AFAIK.

[shunkica]

I am migrating from cPanel, and that is just how it works there by default.
Most (or all) of the users have "mail.domain.tld" in their e-mail clients already set-up.
This is the reason for my requirement, compatibility with existing system.

Additionally, when you add IMAP mail account in some apps like Gmail on android, by default it will suggest "domain.tld" as both incoming and outgoing server.

I need to support all of these legacy configurations.

[polarathene]

I am migrating from cPanel, and that is just how it works there by default.
Most (or all) of the users have "mail.domain.tld" in their e-mail clients already set-up.
This is the reason for my requirement, compatibility with existing system.

If you are migrating, then you understand that you will need to provision new certs again in future right? How do you plan to do that? Why not just provision new certs today?

If you have users with [email protected] instead of [email protected] that might be a bit problematic but only if it overlaps with the DMS FQDN (hostname), if it doesn't it shouldn't matter.

As per our docs, you do not need TLS certificates for the mail domains that DMS manages, you only need a TLS certificate for the mail server itself that clients connect to. You could have [email protected] managed by DMS at the hostname mail.somewhere-else.net and the mail client would be configured to that hostname, and that is what the TLS certificate will be for.

The DNS MX record for example.com would point to mail.somewhere-else.net to have mail sent there, and an SPF record would also allow DMS from that hostname to send mail on behalf of example.com.

Does that all make sense? The email address of users is not related to the TLS certificate. Yes, your users would need to update their mail clients to connect to the new hostname, if you do not want to require them to do that you will need to continue to provision certificates for each separate FQDN you wish to support and that is why it was suggested you do so with a single certificate with SAN.

---

Additionally, when you add IMAP mail account in some apps like Gmail on android, by default it will suggest "domain.tld" as both incoming and outgoing server.

I need to support all of these legacy configurations.

I haven't tried the auto-discover feature that our docs mention, but that might handle that concern for you.

The answer is to provision a new certificate with all the domains you want to support. You will need to do this regardless when you move away from cPanel, why wouldn't you want to manage it with a single cert that supports all of them? (well up to 50 IIRC)

If that is not acceptable for you, DMS does not provide official support for using SNI to lookup different certs. You'll need to either manage that yourself via user-patches.sh or contribute support with appropriate tests. Alternatively, look at alternatives to DMS such as Stalwart, Mailu or MailCow.

EDIT: Just noticed your other response where you went with single TLS cert 👍