Hybrid Exchange SSL Certificate - Acme

kadybee

I setup a hybrid environment for a domain with O365 - relaying non-existing mailboxes. The mail-flow is working correctly, yet Acme won’t issue a certificate (SAN) for that (relayed) domain.
I don’t know if that is expected behaviour or a glitch, yet, the issue is, those on the mailcow server are still wanting to use SOGO (webmail) yet don’t have an SSL Cert.

If I remove the relay setting, the Certificate is allocated as expected;
put the relay back on and the next time Acme runs that domain SAN certificate is removed.

The main host certificate is fine, just the SAN for the email domain.

The other thing I noticed was, the GUI shows the relay non-local:

Yet when editing the domain - all tickboxes are showing:

Not sure if that is expected behaviour either.

Thanks.

ETNyx

About generating certs, that’s what MC do,.. If you check code when you make domain as relay, this domain is marked as backupmx, for those domains automatic cert generation is skipped.

You can try to add them to ADDITIONAL_SAN in your mailcow.conf, this should bypass this backupmx filter. But you must be specific so you need to write there full fdqn

About your screenshot, it’s correct, what is your confusion there?

kadybee

ETNyx Thanks.
re the screen shot, I would have thought, for clarity, ‘Relay non-existing mailboxes’ would be the only one ticked. Not “relay all recipients” as well.

On the certificate, to me, if we are only relaying non-existing, it seems obvious that those that exist require a valid certificate. Thanks for the suggestion, I will hard-code that domain.

ETNyx

About that badge you have 4 state in theory and 1 of them is fully contradictory so in reality you have 3

Selective relay (all = OFF + non = OFF)
– Label is Relay
– Mails in database are relayed.
Full relay (all = ON + non = OFF)
– Labels is Relay all
– All mails for this domain are relayed (existence in database does not matter)
Split relay (all = ON + non = ON)
– Label is Relay Non-Local
– mails not in database are relayed, those in database are local delivery
– this label assuming you have those mailboxes on upstream server = non local

(all = OFF + non = ON) UI should prevent this state by force to Split relay

By me, labels are ok.