config ip:port with ssl-certificates for each domains

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ibuhmailuser
New user
New user
Posts: 3
Joined: 2015-04-17 15:40

config ip:port with ssl-certificates for each domains

Post by ibuhmailuser » 2018-11-02 18:45

Hi,
i check the forum entries for getting info the correct info to config ip:port with ssl-certificates for each domains.
But i can't get the info.

Status quo:
I have multiple domains on one hmailServer.
One domain has a ssl-certificate.
All works perfect.
Currently I have one IP set on the Server.

The current config is
0.0.0.0/465/SMTP/SSL/TLS/certificatedomain1
0.0.0.0/578/SMTP/SSL/TLS/certificatedomain1
0.0.0.0/993/IMAP/SSL/TLS/certificatedomain1
0.0.0.0/995/POP3/SSL/TLS/certificatedomain1


Questions:
Now, I want to support the other domains with ssl-certifcates.
How can I to this?

I didn't understand how to config the ip:ports?
I want to use the ssl-default ports (465, 578, 993, 995) for each domain ssl-mail-configuration.

Do I need one IP for each Domain to config all domains with ssl-default ports (465, 578, 993, 995)?
Is this way possible?
like ...
x.x.x.1/465/SMTP/SSL/TLS/certificatedomain1
x.x.x.1/578/SMTP/SSL/TLS/certificatedomain1
x.x.x.1/993/IMAP/SSL/TLS/certificatedomain1
x.x.x.1/995/POP3/SSL/TLS/certificatedomain1

x.x.x.2/465/SMTP/SSL/TLS/certificatedomain2
x.x.x.2/578/SMTP/SSL/TLS/certificatedomain2
x.x.x.2/993/IMAP/SSL/TLS/certificatedomain2
x.x.x.2/995/POP3/SSL/TLS/certificatedomain2


Or is there another way which is much easier?

User avatar
Dravion
Senior user
Senior user
Posts: 1335
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: config ip:port with ssl-certificates for each domains

Post by Dravion » 2018-11-02 21:06

You need to add all your SSL certificates first per Domain and assign it under Connections settings on each Domain as 2nd step.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: config ip:port with ssl-certificates for each domains

Post by mattg » 2018-11-02 23:30

ibuhmailuser wrote:
2018-11-02 18:45
Questions:
Now, I want to support the other domains with ssl-certifcates.
How can I to this?
You can't do this (and you don't need to - see below)

you can have 1 SSL cert per port, but you can't have multiple SSL certs per port


What I do (and what most ISPs, including gmail and Office365 do for their hosted domains)

Set one SSL cert for your server
Set it to the name of your RDNS (or PTR) entry, also the name in the 'local host name' name in SMTP settings
lets say that is 'mail.example.com'


You then set the MX record for all hosted domains to point to this same server. Like this

Domain = domain1.com
MX record = Priority 10, mail.example.com

Domain = domain2.com
MX record = Priority 10, mail.example.com

Domain = domain3.com
MX record = Priority 10, mail.example.com
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ibuhmailuser
New user
New user
Posts: 3
Joined: 2015-04-17 15:40

Re: config ip:port with ssl-certificates for each domains

Post by ibuhmailuser » 2018-12-05 13:49

Thanks a lot,
sorry for the late message.

Let me describe in my own words again what to do.
1. Assuming the mail server has the subdomain mail.xyz.tld (IP: x.x.x.x)
2. I uninstall the previous certificate for the particular subdomain. I install install a ssl certificate for the mail server mail.xyz.tld (IP: x.x.x.x) and configure the different ports for ssl
3. I change all mx-entries for the different domains
Domain = domainX.com
MX record = Priority 10, mail.xyz.tld

That's all!

A question:
Can users continue to use their mail setting in the email client?
The users have e.g. mail.domainX.com set as mail server in the mail client.
Or do users have to set mail.xyz.tld?

I think the users can continue to use the previous MailServer mail.domainX.com.
Cause the DNS mx points to mail.xyz.tld

Virinum
New user
New user
Posts: 28
Joined: 2018-11-23 14:42
Location: Germany

Re: config ip:port with ssl-certificates for each domains

Post by Virinum » 2018-12-05 16:18

Hi!

First of all you should check the table at the bottom of this page: https://www.hmailserver.com/documentati ... to_install
  • SMTP 25 StartTLS (Optional)
  • SMTP via SSL/TLS 465 SSL/TLS
  • SMTP Submission 587 StartTLS (Required)
  • POP3 110 StartTLS (Required)
  • POP3 via SSL/TLS 995 SSL/TLS
  • IMAP 143 StartTLS (Required)
  • IMAP via SSL/TLS 993 SSL/TLS
So on port 587 (you have 578?) you should use "StartTLS (Required)" and not SSL/TLS.


There are different ways to deal with multiple domains and certificates. Here I describe two of them:

1.
My hMailServer is hosting 2 Domains:
  • domain1.com (main)
  • domain2.com
The MX-Records of domain1.com and domain2.com point to mail.domain1.com
mail.domain1.com points to the IP (1.2.3.4) of my server.
The RDNS of 1.2.3.4 is mail.domain1.com.
I have one certificate for mail.domain1.com. This certificate is used on all ports.
All users have to use mail.domain1.com for IMAP/SMTP/POP in there clients to connect to my server.

2.
My hMailServer is hosting 2 Domains again:
  • domain1.com (main)
  • domain2.com
The MX-Record of domain1.com points to mail.domain1.com, the MX-Record of domain2.com points to mail.domain2.com.
mail.domain1.com and mail.domain2.com point to the IP (1.2.3.4) of my server.
The RDNS of 1.2.3.4 is mail.domain1.com (my main domain, which is also entered as local host name. Remember you can have just one RDNS per IP-address)

For the clients I have the following records:
imap.domain1.com
imap.domain2.com
smtp.domain1.com
smtp.domain2.com
pop.domain1.com
pop.domain2.com

All of them point to 1.2.3.4.

Now I could have one certificate with Subject Alternative Name, which has all subdomains (mail.domain1.com, mail.domain2.com, imap.domain1.com, imap.domain2.com, ...).
All ports would use this one certificate.

Or you make one certificate for each protocol:
Port 25: Certificate with mail.domain1.com and mail.domain2.com
Port 465 and 587: Certificate with smtp.domain1.com and smtp.domain2.com
Port 143 and 993: Certificate with imap.domain1.com and imap.domain2.com
Port 110 and 995: Certificate with pop.domain1.com and pop.domain2.com


I hope this helps understandig how this works.

Post Reply