On Thursday 06/06/2019 at 3:13 pm, Frank Bulk wrote: That’s great, thanks! So does the “G_SSL_LETS_EXCLUDE” need to list each item in “ssl_alias” to prevent a Lets Encrypt certificate being created for that domain? For example, if I had several domains where I wanted to use Lets Encrypt but wanted to exclude acme.com which had webmail.acme.com with an ssl_alias entry of “pop.acme.com, smtp.acme.com, mail.acme.com”, do I configure g_ssl_lets_exclude with just “mail.acme.com”, or do I need to list “mail.acme.com, pop.acme.com, smtp.acme.com, webmail.com”?
Yes list every name or alias to exclude.
Note that g_ssl_lets_exclude is not in your online documentation. I wish I could turn on Let’s Encrypt on a per-domain basis, rather than globally enable and selectively exclude. This would be much safer deployment approach for us … if we forget to exclude just one domain we may have “lost” its SSL certificate.
FYI, The ssl certificates for g_ssl_auto are placed in /surgemail/lets... not surgemail/ssl... , so there is double protection, it won't over-write any of the old certificates in the ssl folders, you might just have to copy them again to the lets folder path.
ChrisP.
Frank From: Support ChrisP <surgemail-support@netwinsite.com>
Sent: Friday, May 17, 2019 8:18 PM
To: surgemail-list@netwin.co.nz
Subject: RE: [SurgeMail List] g_ssl_auto feature - how? we don't support wildcard certificates in letsencrypt in surgemail, but we do allow aliases, just add ssl_alias settings to the domain in question for any needed aliases. On Saturday 18/05/2019 at 3:56 am, Frank Bulk wrote: Chris, I’ve just learned that an SSL certificate is only created with the domain listed in “url_host”. - We currently have an SSL certificate that includes webmail and SAN (subject alternative names) pop3, smtp, and imap. Is there support in SM for that? We really can’t stop doing that without creating a huge support nightmare. https://letsencrypt.org/docs/faq/
- What if we want a wildcarded LE certificate? https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578
Kind regards, Frank On 1/02/2019 11:35 AM, Frank Bulk wrote: Chris, Thanks, I had missed your previous response(s). Two follow up questions: - What happens if you forget to exclude those certain domains – are the certificates in the SSL directory ignored and those auto-generated in lets used?
Yes if you forget the setting it will probably over-write the ones you've coppied in with new letsencrypt ones. - And how do you “recover” if then want to have custom SSL certificates – do you just add them to g_ssl_lets_exclude, copy the files for that domain from the ssl directory to the lets directory, and execute “tellmail reload”? Or do you have to restart Surgemail?
Yes fix the exclude setting, copy them again from ssl to lets folder, and tellmail ssl_update should be sufficient. ChrisP. -
Frank Yes you can but it's a bit tricky. Step 1) You need a recent build 7.3p at least Step 2) You copy the ssl directory tree to the lets directory tree (or the relevant domains folders at least) Step 3) you set G_SSL_LETS_EXCLUDE "mail.xyz.com,mail.fred.com" On Tuesday 29/01/2019 at 3:42 am, Frank Bulk wrote: Any feedback on this? Can we turn this on only for those domains we don’t already have a separate certificate in place? Frank Thanks, I had been meaning to ask if we could turn this on only for domains that we don't already have a cert in place.
Frank
Sent from my Android phone using TouchDown (www.symantec.com)
-----Original Message-----
From: Jeff Crowe [jeff@wtccommunications.ca]
Received: Wednesday, 31 Oct 2018, 11:35AM
To: surgemail-list@netwinsite.com [surgemail-list@netwinsite.com]
Subject: [SurgeMail List] g_ssl_auto feature - how? Hi there, I have been looking for a fix for my broken Chrome SSL certs today and ran across this gem on the surgemail site: SurgeMail Version 7.3j2 or laterWith this version of surgemail ssl certificates are created and signed completely automatically for all domains, with one setting, no certbot or other external programs are required! What signing authority is being used? Is it lets encrypt built into surgemail? Will it enable add certs for all services like pop3, imap, smtp as well as https? Will it automatically new certs close to expiration? and lastly, where do I download this version? the current version on the download site is 7.3i2. Inquiring minds want to know!
|
