Resolved Multiple email certificates for multiple domains?

[DanijelD]

Hi,
I have two domains as virtual hosts on same IP address.

I am getting certificate error for the second domain when I try to check email (using MS Outlook). I can't permanently "accept" certificate, it complains again and again. Certuficate I created and self signed for imap.domain1.com, but the second email server is imap.domain2.com, so it complains.

How do I set separate email certificates for two domains? Is it possible at all?

Regards,
Danijel

 

[UFHH01]

Could you please provide, WHICH mail - server you are using, so that suggestions can be specific?

 

[DanijelD]

Hi, how do I find that out?

I know that my certificates are in:
/usr/share/courier-imap (imapd.pem)
and in
/var/qmail/control (servercert.pem)

 

[UFHH01]

With qmail / courier-imap this is only possible, if each domain reverses to different IPs. The configuration would then be, to rename the imapd.pem file to "imapd.pem.XXX.XXX.XXX.XXX" , while XXX... must be replaced with the IP which reverses to the desired domain. Be aware that this really only works, if the reverse check points to the desired domain and IP on both ways, otherwise you will get the answer, that the domain doesn't match the certificates domain name.

 

[DanijelD]

Thanks for help.
I don't have separate IP addresses.
I guess there is no solution to this problem. :-(

 

[UFHH01]

You might consider using dovecot instead, where you have the possibilty to define certificates far better.

For example in a dovecot.conf you might use:

local mail.EXAMPLEDOMAIN_1.COM {
  protocol imap {
    ssl_cert = </etc/dovecot/private/003-imap-EXAMPLEDOMAIN_1.COM.pem
    ssl_key = </etc/dovecot/private/002-imap-EXAMPLEDOMAIN_1.COM-key.pem
    ssl_ca = </etc/dovecot/private/001-ca.pem
  }

  protocol pop3 {
    ssl_cert = </etc/dovecot/private/005-pop3-EXAMPLEDOMAIN_1.COM.pem
    ssl_key = </etc/dovecot/private/004-pop3-EXAMPLEDOMAIN_1.COM-key.pem
    ssl_ca = </etc/dovecot/private/001-ca.pem
  }
}

local mail.EXAMPLEDOMAIN_2.COM {
  protocol imap {
    ssl_cert = </etc/dovecot/private/007-imap-EXAMPLEDOMAIN_2.COM.pem
    ssl_key = </etc/dovecot/private/006-imap-EXAMPLEDOMAIN_2.COM-key.pem
    ssl_ca = </etc/dovecot/private/001-ca.pem
  }

  protocol pop3 {
    ssl_cert = </etc/dovecot/private/009-pop3-EXAMPLEDOMAIN_2.COM.pem
    ssl_key = </etc/dovecot/private/008-pop3-EXAMPLEDOMAIN_2.COM-key.pem
    ssl_ca = </etc/dovecot/private/001-ca.pem
  }
}

 

[acordier]

Hum, UFHH01, I followed your advice and changed from Courier to Dovecot in order to be able to set different certificate for various domain using the same IP address.

However, Dovecot seems to resolve the domain name given in dovecot.conf to its IP address...
When using command doveconf -n, I get:

local 164.132.xxx.xxx {
  protocol imap {
    ssl_cert = </usr/local/psa/var/certificates/cert-aCwhvB
    ssl_key = </usr/local/psa/var/certificates/cert-aCwhvB
  }
}
local 164.132.xxx.xxx {
  protocol pop3 {
    ssl_cert = </usr/local/psa/var/certificates/cert-aCwhvB
    ssl_key = </usr/local/psa/var/certificates/cert-aCwhvB
  }
}

Any advice to avoid this ?

 

[UFHH01]

Hi acordier,

dovecot uses nameserver lookups, to resolve the configuration, which you checked with "doveconf -n". If you setup "mail.EXAMPLEDOMAIN_1.COM", pls. make sure, that the reverse check resolves to the corresponding IP. If the reverse check from the IP resolves to another FQDN, dovecot will certainly use the existent DNS - settings, due to the fact that each communication between mail - servers are based on these reverse checks.

 

[acordier]

dovecot uses nameserver lookups, to resolve the configuration, which you checked with "doveconf -n". If you setup "mail.EXAMPLEDOMAIN_1.COM", pls. make sure, that the reverse check resolves to the corresponding IP. If the reverse check from the IP resolves to another FQDN, dovecot will certainly use the existent DNS - settings, due to the fact that each communication between mail - servers are based on these reverse checks.

I'm not sure to understand: I have 2 different domains with the same IP Address on one host , so the check from the IP address can only resolve to one of these.
As you can see in my sample, the problem is that dovecot uses the same certificate for both domains.

 

[UFHH01]

Hi acordier,

so the check from the IP address can only resolve to one of these.

Correct.

As you can see in my sample, the problem is that dovecot uses the same certificate for both domains.

And there is absolut nothing, what you can do to change that.
My suggestion is for the usage of MULTIPLE IPS on one server, using different certificates for your domains, which each resolve back to a separate IP, where it is easier to use "dovecot", than "imap-courier".
There is no chance to "trick" that, because mail - servers do not only a handshake ( HELO - EHLO ), when they communicate, they check as well the reverse DNS entries. ( pls. read the whole thread ).

 

[acordier]

( pls. read the whole thread ).

On #6, you suggested dovecot to Danijeld who said "I don't have separate IP addresses.", so I assumed it was a solution to his problem...
Thanks for your explanations.