Facebook
Twitter
learning_curve
Silver Pleskian
Somebody will have already done this somewhere, we're sure...
Our setup is shown on our forum signature for reference.
Using the standard Plesk setup, certificates are created and stored to enable SSL e-mail by default. You can also secure the mail server using Let's Encrypt (as shown here) and you can change the default Postfix / Dovecot certificates (as shown here) but in all cases, we think they relate to just one domain url / name / ip address etc
We have one server with multiple domains. As we're looking forward to (hopefully) being totally TLSv1.3 soon (but still with TLSv1.2 backup for a while) we're pretty keen to solve the errors that our current setup can / may create e.g.
That's a sanitised but true example report. The issue is the mail.mydomain.com url is on a different domain url than the one used by other.com, hence the no verification error report.
This also applies even to normal domain ssl/tls server tests where the non-verification error is reported, but isn't a big factor in the overall security rating on say Qualys.SSL etc (as all the separate certificates are all valid anyway...)
Our thoughts are...
There must already be lots and lots of people using Independent Secure E-Mail > Postfix / Dovecot MTAs > 1 Server Multiple Domains > Plesk but not having their server named as a sub-domain of one of their domains? What do you do?
1) Now that wildcard certificates are available from Let's Encrypt at no extra cost
we should replace ALL certificates on all domains, with new Let's Encrypt wildcard certificates and then re-name the server (because it is currently named as a sub-domain of other.com The reason for that being, the server itself is then covered under the Purchased GeoTrust Wildcard Certificate for the most active domain on the server. We can then issue a new certificate for the new server name itself too. This will require a lot of thought prior to carrying out the changes, but it may then solve ALL verification checks (server and e-mail) from then on... we think
2) Modify Postfix and Dovecot independently... This looks to be a lot more difficult
If anybody has done this already / got advice on it, or the two ways we've mentioned of changing it and/or a third way which we haven't seen yet... it would be great to read your posts.
Our setup is shown on our forum signature for reference.
Using the standard Plesk setup, certificates are created and stored to enable SSL e-mail by default. You can also secure the mail server using Let's Encrypt (as shown here) and you can change the default Postfix / Dovecot certificates (as shown here) but in all cases, we think they relate to just one domain url / name / ip address etc
We have one server with multiple domains. As we're looking forward to (hopefully) being totally TLSv1.3 soon (but still with TLSv1.2 backup for a while) we're pretty keen to solve the errors that our current setup can / may create e.g.
Code:
We can use this server
TLS is an option on this server
STARTTLS
220 2.0.0 Ready to start TLS
STARTTLS command works on this server
Connection converted to SSL
SSLVersion in use: TLSv1_2
Cipher in use: ECDHE-RSA-AES128-GCM-SHA256
Certificate 1 of 3 in chain: Cert VALIDATED: ok
Cert Hostname DOES NOT VERIFY (mail.mydomain.com != *.other.com | DNS:*.other | DNS:other)
(see RFC-2818 section 3.1 paragraph 4 for info on wildcard ("*") matching)
So email is encrypted but the host is not verified
cert not revoked by CRL
cert not revoked by OCSP
serialNumber= * dot *
subject= /CN=*.other
issuer= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL SHA256 CA
Certificate 2 of 3 in chain: Cert VALIDATED: ok
cert not revoked by CRL
cert not revoked by OCSP
serialNumber=* dot *
subject= /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL SHA256 CA
issuer= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
For authorized use only/CN=GeoTrust Primary Certification Authority - G3
Certificate 3 of 3 in chain: Cert VALIDATED: ok
cert not revoked by CRL
cert not revoked by OCSP
serialNumber=* dot *
subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
For authorized use only/CN=GeoTrust Primary Certification Authority - G3
issuer= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc.
For authorized use only/CN=GeoTrust Primary Certification Authority - G3This also applies even to normal domain ssl/tls server tests where the non-verification error is reported, but isn't a big factor in the overall security rating on say Qualys.SSL etc (as all the separate certificates are all valid anyway...)
Our thoughts are...
There must already be lots and lots of people using Independent Secure E-Mail > Postfix / Dovecot MTAs > 1 Server Multiple Domains > Plesk but not having their server named as a sub-domain of one of their domains? What do you do?
1) Now that wildcard certificates are available from Let's Encrypt at no extra cost
we should replace ALL certificates on all domains, with new Let's Encrypt wildcard certificates and then re-name the server (because it is currently named as a sub-domain of other.com The reason for that being, the server itself is then covered under the Purchased GeoTrust Wildcard Certificate for the most active domain on the server. We can then issue a new certificate for the new server name itself too. This will require a lot of thought prior to carrying out the changes, but it may then solve ALL verification checks (server and e-mail) from then on... we think 2) Modify Postfix and Dovecot independently... This looks to be a lot more difficult
If anybody has done this already / got advice on it, or the two ways we've mentioned of changing it and/or a third way which we haven't seen yet... it would be great to read your posts.
