Multiple domains without one TLS certificate containing all domain names as SAN

post-kuh

I need advice configuring my mailcow instance with another mail domain, which is not the mailserver domain.

I currently have a setup that is working fine, sending and receiving mails on all domains with no problems so far. The problem comes when trying to add a mailbox in Mozilla Thunderbird. The settings for mailserver only get correctly automatically configured for the mailservers domain (example.org). For other mail domains (like second.org), wrong server settings are getting configured automatically (Thunderbird thinks second.org is the mailserver). However, if I manually type in the correct server settings and hit apply, I get a warning, because the TLS certificate issued for srv.example.org does not match second.org, although I typed srv.example.org as servername. I read that you need to have one single TLS certificate with the other domains as SAN to solve this.

My question: how to configure the system properly without the need of having a said TLS certificate with all other registered domains as SANs? I don’t want to “expose” all my registered domains in that certificate. How are the big mail hosting providers doing this: if you buy a domain with mail hosting included, the mailhoster also does not have a single TLS certificate for his or her mailserver including every single domain on it.

I am hosting a mailcow instance on a server with FQDN srv.example.org. My DNS setup is the following (IPs and domains are exemplary):

For domain example.org
example.org A 1.2.3.4 example.org AAAA 2a00::1234 example.org MX 10 srv.example.org example.org TXT v=spf1 mx a -all _dmarc.example.org TXT v=DMARC1;p=reject;rua=mailto:reports@example.org dkim.example.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...] autoconfig.example.org CNAME srv.example.org autodiscover srv.example.org CNAME srv.example.org srv.example.org A 1.2.3.4 [1.2.3.4 PTR srv.example.org] srv.example.org AAAA 2a00::1234 [2a00::1234 PTR srv.example.org]

For second mail domain second.org
second.org A 1.2.3.4 second.org AAAA 2a00::1234 second.org MX 10 srv.example.org second.org TXT v=spf1 mx a -all _dmarc.second.org TXT v=DMARC1;p=reject;rua=mailto:reports@second.org dkim.second.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...] autoconfig.second.org CNAME srv.example.org autodiscover srv.second.org CNAME srv.example.org _autodiscover._tcp SRV 0 1 443 srv.example.org

I am thankful in advance for any ideas or approaches to solve this!

post-kuh

I solved the problem on my own and thought it would be useful to share here with you.

So first of all, I forgot about the fact that I am running a nginx reverse proxy outside mailcow-dockerized natively on my host system. This is because I have other services on my system that should also be accessible over HTTPS. In order to serve multiple websites listening on different domains/servernames, a centralized nginx reverse proxy is necessary.

Now to the point with the autoconfiguration of Thunderbird. Wenn you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml. This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

However, if you only have a nginx reverse proxy configuration exactly like this: https://docs.mailcow.email/post_installation/firststeps-rp/#nginx with just one SSL certificate for the mailserver domain, this would require the SSL certificate to contain all hosted mail domains as SAN, because it would be only valid for the mailserver domain (in this case example.org). The autoconfiguration would only work for the mailserver domain with no exception in Thunderbird, because the SSL certificate would be only valid for it. For the mailbox mail@example.org the resource https://example.org/.well-known/autoconfig/mail/config-v1.1.xml would be requested for autoconfiguration and the certificate would be valid, because its issued for (*.)example.org.

Solution 1: don’t use a reverse proxy but the nginx that comes shipped with mailcow-dockerized instead. In addition with the acme-container, it will request separate certificates for each domain for access to Mailcow-UI, SOGo, autoconfiguration files, calender paths, etc. [Haven’t tried this myself yet]

Solution 2: setup Traefik like stated here https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported. [Haven’t tried this myself yet]

Solution 3: serve the xml-file separately and statically with the nginx reverse proxy for each domain you added to your mailserver with corresponding servernames and different certificates. This means one nginx site for example.org with a SSL certificate issued for example.org, one nginx site for second.org with a SSL certificate issued for second.org etc.

The third solution is what I came up with, because it limits HTTPS access to only the xml-file needed for Thunderbird autoconfiguration, which I find convenient. I added access for SOGo with another nginx site listening under a specific servername and Mailcow-UI access with yet another nginx site, which is only accessible over a secured VPN tunnel.

If you have questions, remarks or you found this helpful, feel free to leave a reply here.

Tokukarin

After you helped me on the other thread I thought about that I need to create manually the xml files and serve them somehow.

Then I started crying because I have to do this for 5 domains and add them separately to my reverse proxy with the SAN certificate that I have. And If something changes I have to update them all separately and are not allowed to forget that.

Then I read this post where you posted some solutions, then I saw your third one and started crying again.

post-kuh

The xml-file can be the same for every domain. You just need separate nginx sites. This is an example xml-file for IMAP on port 993 and SMTP on port 465. You need to replace mail.example.org with the FQDN of your mailserver.

<?xml version="1.0"?><clientConfig version="1.1">

    <emailProvider id="mail.example.org">

      <domain>%EMAILDOMAIN%</domain>
      <displayName>Example.org Mailserver</displayName>
      <displayShortName>Example.org Mailserver</displayShortName>

      <incomingServer type="imap">
         <hostname>mail.example.org</hostname>
         <port>993</port>
         <socketType>SSL</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
      </incomingServer>

      <outgoingServer type="smtp">
         <hostname>mail.example.org</hostname>
         <port>465</port>
         <socketType>SSL</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
      </outgoingServer>

    </emailProvider>

</clientConfig>

Tokukarin

Would you be so kind as to explain this

post-kuh The xml-file can be the same for every domain.

Because I thought about doing 5 XML files with each their corresponding fqdn set. Also I just edited my reverse proxy that all 5 domains have their own file so that I can set custom locations on each of them.

post-kuh

An emailserver with the FQDN mail.example.org is not limited to sending emails for example.org only, but can send mails for other domains second.org third.org etc. if they have correct DNS records set.

Tokukarin

Little bit off topic but
Your xml file only shows imap and smtp.
Don’t you need the other protocols too, or did you just leave them out of the xml file for demonstration?

Because I would love to disable pop, but isn’t that still needed for receiving some emails?

post-kuh

You either get your mails from your server via IMAP or POP3. IMAP keeps the mails on the server, while POP3 keeps them locally on your mail client and deletes them from the server.

Tokukarin

So I am stupid because I thought something like this:

Someone sends me an email and my mailcow server receives them over pop3 or imap depending on what port the sending server uses.

I just realized that thanks to you and I am not joking that the server that sends the email looks for the mx record in the dns server.
Which also means that in the xml file I can change that thunderbird uses mail.mail.cow instead of pop3.mail.cow so that my SAN certificate is not as long as the way from the earth to the moon.

What a weird day I have today 😃

abu3baid

Can you help me with serving the xml-file separately and statically?
I am using Cloudpanel, i have mail.server1.com working fine, but thunderbird doesnt detect configs for admin@server2.com
so i created a static html file for the domain mail.server2.com, and i put the xml file inside htdocs/.well-known/autoconfig/mail/config-v1.1.xml

But this seems to not work. Can you help me please? Thanks.