• Community Support
  • USEnglish

  • Multiple domains without one TLS certificate containing all domain names as SAN

I need advice configuring my mailcow instance with another mail domain, which is not the mailserver domain.

I currently have a setup that is working fine, sending and receiving mails on all domains with no problems so far. The problem comes when trying to add a mailbox in Mozilla Thunderbird. The settings for mailserver only get correctly automatically configured for the mailservers domain (example.org). For other mail domains (like second.org), wrong server settings are getting configured automatically (Thunderbird thinks second.org is the mailserver). However, if I manually type in the correct server settings and hit apply, I get a warning, because the TLS certificate issued for srv.example.org does not match second.org, although I typed srv.example.org as servername. I read that you need to have one single TLS certificate with the other domains as SAN to solve this.

My question: how to configure the system properly without the need of having a said TLS certificate with all other registered domains as SANs? I don’t want to “expose” all my registered domains in that certificate. How are the big mail hosting providers doing this: if you buy a domain with mail hosting included, the mailhoster also does not have a single TLS certificate for his or her mailserver including every single domain on it.

I am hosting a mailcow instance on a server with FQDN srv.example.org. My DNS setup is the following (IPs and domains are exemplary):

For domain example.org
example.org A 1.2.3.4
example.org AAAA 2a00::1234
example.org MX 10 srv.example.org
example.org TXT v=spf1 mx a -all
_dmarc.example.org TXT v=DMARC1;p=reject;rua=mailto:reports@example.org
dkim.example.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...]
autoconfig.example.org CNAME srv.example.org
autodiscover srv.example.org CNAME srv.example.org
srv.example.org A 1.2.3.4 [1.2.3.4 PTR srv.example.org]
srv.example.org AAAA 2a00::1234 [2a00::1234 PTR srv.example.org]

For second mail domain second.org
second.org A 1.2.3.4
second.org AAAA 2a00::1234
second.org MX 10 srv.example.org
second.org TXT v=spf1 mx a -all
_dmarc.second.org TXT v=DMARC1;p=reject;rua=mailto:reports@second.org
dkim.second.org TXT v=DKIM1;k=rsa;t=s;s=email;p=MIIBIjANBgkq[...]
autoconfig.second.org CNAME srv.example.org
autodiscover srv.second.org CNAME srv.example.org
_autodiscover._tcp SRV 0 1 443 srv.example.org

I am thankful in advance for any ideas or approaches to solve this!

  • post-kuh likes this.

  • I solved the problem on my own and thought it would be useful to share here with you.

    So first of all, I forgot about the fact that I am running a nginx reverse proxy outside mailcow-dockerized natively on my host system. This is because I have other services on my system that should also be accessible over HTTPS. In order to serve multiple websites listening on different domains/servernames, a centralized nginx reverse proxy is necessary.

    Now to the point with the autoconfiguration of Thunderbird. Wenn you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml. This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

    However, if you only have a nginx reverse proxy configuration exactly like this: https://docs.mailcow.email/post_installation/firststeps-rp/#nginx with just one SSL certificate for the mailserver domain, this would require the SSL certificate to contain all hosted mail domains as SAN, because it would be only valid for the mailserver domain (in this case example.org). The autoconfiguration would only work for the mailserver domain with no exception in Thunderbird, because the SSL certificate would be only valid for it. For the mailbox mail@example.org the resource https://example.org/.well-known/autoconfig/mail/config-v1.1.xml would be requested for autoconfiguration and the certificate would be valid, because its issued for (*.)example.org.

    Solution 1: don’t use a reverse proxy but the nginx that comes shipped with mailcow-dockerized instead. In addition with the acme-container, it will request separate certificates for each domain for access to Mailcow-UI, SOGo, autoconfiguration files, calender paths, etc. [Haven’t tried this myself yet]

    Solution 2: setup Traefik like stated here https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported. [Haven’t tried this myself yet]

    Solution 3: serve the xml-file separately and statically with the nginx reverse proxy for each domain you added to your mailserver with corresponding servernames and different certificates. This means one nginx site for example.org with a SSL certificate issued for example.org, one nginx site for second.org with a SSL certificate issued for second.org etc.

    The third solution is what I came up with, because it limits HTTPS access to only the xml-file needed for Thunderbird autoconfiguration, which I find convenient. I added access for SOGo with another nginx site listening under a specific servername and Mailcow-UI access with yet another nginx site, which is only accessible over a secured VPN tunnel.

    If you have questions, remarks or you found this helpful, feel free to leave a reply here.

4 days later

I solved the problem on my own and thought it would be useful to share here with you.

So first of all, I forgot about the fact that I am running a nginx reverse proxy outside mailcow-dockerized natively on my host system. This is because I have other services on my system that should also be accessible over HTTPS. In order to serve multiple websites listening on different domains/servernames, a centralized nginx reverse proxy is necessary.

Now to the point with the autoconfiguration of Thunderbird. Wenn you add a new mailbox to Thunderbird, it tries to get the server configuration via HTTPS from a webserver listening on the domain of the mailbox you want to add to Thunderbird. If you want to add mail@second.org, Thunderbird tries to get https://second.org/.well-known/autoconfig/mail/config-v1.1.xml

second.org
https://second.org/.well-known/autoconfig/mail/config-v1.1.xml
No preview could be generated for this link
. This file contains the parameters for protocols, ports and the mailserver Thunderbird should use. You can see all web requests from Thunderbird in the error console of it.

However, if you only have a nginx reverse proxy configuration exactly like this: https://docs.mailcow.email/post_installation/firststeps-rp/#nginx

docs.mailcow.email
https://docs.mailcow.email/post_installation/firststeps-rp/#nginx
No preview could be generated for this link
with just one SSL certificate for the mailserver domain, this would require the SSL certificate to contain all hosted mail domains as SAN, because it would be only valid for the mailserver domain (in this case example.org). The autoconfiguration would only work for the mailserver domain with no exception in Thunderbird, because the SSL certificate would be only valid for it. For the mailbox mail@example.org the resource https://example.org/.well-known/autoconfig/mail/config-v1.1.xml
example.org
https://example.org/.well-known/autoconfig/mail/config-v1.1.xml
No preview could be generated for this link
 would be requested for autoconfiguration and the certificate would be valid, because its issued for (*.)example.org.

Solution 1: don’t use a reverse proxy but the nginx that comes shipped with mailcow-dockerized instead. In addition with the acme-container, it will request separate certificates for each domain for access to Mailcow-UI, SOGo, autoconfiguration files, calender paths, etc. [Haven’t tried this myself yet]

Solution 2: setup Traefik like stated here https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported

docs.mailcow.email
https://docs.mailcow.email/post_installation/firststeps-rp/#traefik-v2-community-supported
No preview could be generated for this link
. [Haven’t tried this myself yet]

Solution 3: serve the xml-file separately and statically with the nginx reverse proxy for each domain you added to your mailserver with corresponding servernames and different certificates. This means one nginx site for example.org with a SSL certificate issued for example.org, one nginx site for second.org with a SSL certificate issued for second.org etc.

The third solution is what I came up with, because it limits HTTPS access to only the xml-file needed for Thunderbird autoconfiguration, which I find convenient. I added access for SOGo with another nginx site listening under a specific servername and Mailcow-UI access with yet another nginx site, which is only accessible over a secured VPN tunnel.

If you have questions, remarks or you found this helpful, feel free to leave a reply here.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

After you helped me on the other thread I thought about that I need to create manually the xml files and serve them somehow.

Then I started crying because I have to do this for 5 domains and add them separately to my reverse proxy with the SAN certificate that I have. And If something changes I have to update them all separately and are not allowed to forget that.

Then I read this post where you posted some solutions, then I saw your third one and started crying again.

The xml-file can be the same for every domain. You just need separate nginx sites. This is an example xml-file for IMAP on port 993 and SMTP on port 465. You need to replace mail.example.org with the FQDN of your mailserver.

<?xml version="1.0"?><clientConfig version="1.1">

    <emailProvider id="mail.example.org">

      <domain>%EMAILDOMAIN%</domain>
      <displayName>Example.org Mailserver</displayName>
      <displayShortName>Example.org Mailserver</displayShortName>

      <incomingServer type="imap">
         <hostname>mail.example.org</hostname>
         <port>993</port>
         <socketType>SSL</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
      </incomingServer>

      <outgoingServer type="smtp">
         <hostname>mail.example.org</hostname>
         <port>465</port>
         <socketType>SSL</socketType>
         <username>%EMAILADDRESS%</username>
         <authentication>password-cleartext</authentication>
      </outgoingServer>

    </emailProvider>

</clientConfig>

    Would you be so kind as to explain this

    post-kuh The xml-file can be the same for every domain.

    Because I thought about doing 5 XML files with each their corresponding fqdn set. Also I just edited my reverse proxy that all 5 domains have their own file so that I can set custom locations on each of them.

      An emailserver with the FQDN mail.example.org is not limited to sending emails for example.org only, but can send mails for other domains second.org third.org etc. if they have correct DNS records set.

      Little bit off topic but
      Your xml file only shows imap and smtp.
      Don’t you need the other protocols too, or did you just leave them out of the xml file for demonstration?

      Because I would love to disable pop, but isn’t that still needed for receiving some emails?

      You either get your mails from your server via IMAP or POP3. IMAP keeps the mails on the server, while POP3 keeps them locally on your mail client and deletes them from the server.

      So I am stupid because I thought something like this:

      Someone sends me an email and my mailcow server receives them over pop3 or imap depending on what port the sending server uses.

      I just realized that thanks to you and I am not joking that the server that sends the email looks for the mx record in the dns server.
      Which also means that in the xml file I can change that thunderbird uses mail.mail.cow instead of pop3.mail.cow so that my SAN certificate is not as long as the way from the earth to the moon.

      What a weird day I have today 😃

      a year later

      Can you help me with serving the xml-file separately and statically?
      I am using Cloudpanel, i have mail.server1.com working fine, but thunderbird doesnt detect configs for admin@server2.com
      so i created a static html file for the domain mail.server2.com, and i put the xml file inside htdocs/.well-known/autoconfig/mail/config-v1.1.xml

      But this seems to not work. Can you help me please? Thanks.

      No one is typing