Hello.

Let’s say my mail server (mail.mydomain.com) handles mail for user@domain1.com and user@domain2.com.

Do I need to resolve certificates for both domain1 and domain2 or is it always the mail server’s certificate that should be used regardless of the email address?

    • ETNyx

    • Best Answerset by qneo

    Yes, when your smtp server communicate whit others it needs to be trusted (ensure own crypto capabilities and authenticity). For this smtp use own certificate. This certificate should be subjected to your server hostname. You can inspect what certificate smtp use by this command.
    echo | openssl s_client -connect name.mailserver.com:465 -servername name.mailserver.com 2>/dev/null

    What mail is send came after establishing this link and in terms of certificate for smtp server does not matter if it’s user@dom1.com or user@dom2.com, on this level you are using DKIM, SPF, DMARK to be trusted.

    Just quick note. If you are using own LE solution be sure you are always loading current certificate. Not sure how Mailcow but other servers caching certificate on startup and does not tracking source change. There is possibility you will need to restart smtp server to load renewed cert. To test expiration of currently used cert you can use this command (This should apply to dovecot as well,… for imap,…).
    ``````echo | openssl s_client -connect name.mailserver.com:465 -servername name.mailserver.com 2>/dev/null | openssl x509 -noout -dates```

In terms of mail Mailcow will 100% cover you, you just need proper DNS configuration, certificate (key) is usually one per server.

Have something to say?

Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

Unfortunately not, acme generated a lot of access errors, in the end I had to solve my own letencrypt cert for the mail server.

But is this sufficient then for smtp? For example. If mail is sent to user@somedomain.com that my mail server handles, my mail server should send its own certificate (e.g. mail.mydomain.com which is the mx of somedomain.com) and not the certificate of somedomain.com.

Have I understood you correctly?

Yes, when your smtp server communicate whit others it needs to be trusted (ensure own crypto capabilities and authenticity). For this smtp use own certificate. This certificate should be subjected to your server hostname. You can inspect what certificate smtp use by this command.
echo | openssl s_client -connect name.mailserver.com:465 -servername name.mailserver.com 2>/dev/null

What mail is send came after establishing this link and in terms of certificate for smtp server does not matter if it’s user@dom1.com or user@dom2.com, on this level you are using DKIM, SPF, DMARK to be trusted.

Just quick note. If you are using own LE solution be sure you are always loading current certificate. Not sure how Mailcow but other servers caching certificate on startup and does not tracking source change. There is possibility you will need to restart smtp server to load renewed cert. To test expiration of currently used cert you can use this command (This should apply to dovecot as well,… for imap,…).
``````echo | openssl s_client -connect name.mailserver.com:465 -servername name.mailserver.com 2>/dev/null | openssl x509 -noout -dates```

    ETNyx Not sure how Mailcow but other servers caching certificate on startup and does not tracking source change. There is possibility you will need to restart smtp server to load renewed cert.

    This! mailcow does not automatically notice a certificate change, you need to restart 3 containers after changing the certificates:
    docs.mailcow.email Icon Advanced SSL - mailcow: dockerized documentation

    docs.mailcow.email Icon docs.mailcow.email
    Advanced SSL - mailcow: dockerized documentation
    None
    docs.mailcow.email

      Many thanks guys, greatly appreciated

      No one is typing