Email cert strategy

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
With HTTP/2, the multiple certs for the same IP couldn't be simpler to implement. However, is there a similar strategy we can use for Email? People can use mail.<mydomain.tld> in their clients for their incoming and outgoing email servers and it works, but the cert doesn't match, and they get warnings. They can log into your email server with mail.yourserver1.com and not have a problem. The problem comes in when you move them from mail.<yourserver1.tld> to mail.<yourserver2.tld> whereas if they had used mail.<mydomain.tld> they wouldn't have to change anything, but they would get the error. Am I missing something or is this still just a bit of a mess?

Thanks!
 
Last edited:

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
What I was hoping to hear is there is now something that works like HTTP/2 where you set up a secure connection on a shared IP using the domain name. This way, you could not only change servers and IPs, you could move from ABC Hosting to DEF Hosting, and nothing would need to change on the client devices. If with HTTP/2 you can do "domain.com" and "www.mydomain.com" along with "Let's Encrypt on a shared IP, then it would be logical to employ a similar method with pop.mydomain.com, imap.mydomain.com, and smtp.mydomain.com. Currently, we either must go with mydomain.com and "Accept All Certificates" (which is getting less and less accepted), or use the email server/cluster name to match the certificate, which still breaks whenever you change hosting providers. Moreover there is nothing logical about email users from MyDomain.com getting their email from AHoster.com, nor is it logical that anything should change on their end when they change hosting companies.
 
Last edited:

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,267
Location
Maastricht
FTP is covered by SNI too, but you will need to use PureFTPd.
Which is working good as far as SNI concerns, but the SSL connection causes a decent decrease in transfer speeds unfortunately.
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
I didn't get the notification in my email that you responded. This is phenomenal and exactly what I was looking for. I checked out the links. The last two are deprecated.

It's not about HTTP/2. It is SNI, and DirectAdmin covers almost all services:
- SNI for https client domains on port 2222
- mail_sni for dovecot and exim sni certificates
FTP is covered by SNI too, but you will need to use PureFTPd.
Don't they have ProFTPD working with SNI yet? I'd definitely rather have ProFTP. If DirectAdmin is moving to PureFTP, I'd like to hear why.

Thanks TONS!!!
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
SNI with SSH? Really?

SFTP is managed by ProFTPd, and in this case SFTP does not require SNI at all as well as SSH. Or do I miss anything?
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
SNI with SSH? Really? SFTP is managed by ProFTPd, and in this case SFTP does not require SNI at all as well as SSH. Or do I miss anything?
I believe I'm missing How to install mod_sftp into proftpd. In fact I was thinking about that in my last deployment and moved SSH so that virtual users could use the standard port. For some reason I didn't deploy it, and now I don't remember if it is because I ran into a problem doing it with FreeBSD 11.2 or I just forgot to. What I do know is nothing is listening on port 22 on that server.

1. With ProFTPd+mod_sft, can I implement the following?

.../private_ftp
.../private_ftp/customer1
.../private_ftp/customer2
.../private_ftp/customer3
etc

Domain ftp virtual user "engineering" has access to .../private_ftp
Customer2 ftp virtual user has access starting at the base of his assigned folder, .../private_ftp/customer2

2. How can I disable FTP, and can it be done without disabling FTPS in the case some customers require it?

3. Since ProFTP can do SFTP, I would think it would make more sense to invest in SNI for ProFTP than PureFTP, and make ProFTP the default. What am I missing?

Thanks!
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,932
Location
GMT +7.00
When using SFTP from ProFTPd you are in the same boat as if you are using native FTP/FTPs, all the usernames/passwords, account settings, access folders are still the same. The only one thing which is changed - a connection protocol and port.

So you still:

- manage access folder in DirectAdmin with SFTP by ProFTPd
- manage additional FTP usernames/passwords in DirectAdmin with SFTP by ProFTPd
- suspend/un-suspend FTP usernames/passwords in DirectAdmin with SFTP by ProFTPd

You disable FTP/FTPs by closing ports 20,21 in a firewall.

SFTP does not need SNI at all. It uses the same keys:

/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub



for a host validation as SSH does.
 

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
888
When using SFTP from ProFTPd you are in the same boat as if you are using native FTP/FTPs, all the usernames/passwords, account settings, access folders are still the same. The only one thing which is changed - a connection protocol and port.
That would be perfect.

You disable FTP/FTPs by closing ports 20,21 in a firewall.
That would disable both FTP and FTPS, which might not be the end of the world. I'd have to ask the customers about that.

You have been a MASSIVE help. Thank YOU!!!
 
Top