2

I have a server that runs a web server and an email server for multiple domains, and both services are configured to use SSL certificates from Let's Encrypt (for each domain the web server and the email server use the same certificate).

I want to go to a 2 server setup, and host the web server on one machine and the email service on another. To make this happen I believe I am going to run into these obstacles:

  • Certificate Management: I will need to be able to fetch duplicate certificates for each domain so that both machines can prove to be who they are, or possibly have the mail hosting machine get only certificates for mail.example.com instead of example.com and set this up for every domain
  • Send email from web server: some of the websites I need to host will have contact, login and registration forms, and these need to be able to trigger email messages. This seems to be the biggest problem as I do not know how I could configure Postfix on the web server to perhaps send them through the email server.

What would be the best way to decouple these services, and how would I be able to setup a server for each service without running into the problems I described?

goncalotomas
  • 123
  • 6
  • The default install of Postfix is send-only and can almost always be used as is. Just revert the configuration to the OS-shipped default. – Michael Hampton Mar 07 '18 at 17:43
  • This is new information for me, thanks for commenting. How would I be able to send email (without risk of they being labelled as spam) from the web hosting machine if my DNS records will say that `mail.mydomain.com` points to the other machine? I feel like I'm definitely missing something. – goncalotomas Mar 07 '18 at 18:19
  • You are mixing receiving and sending emails, they are different paths. The MX DNS record will let the world know how your domain receives emails. As for sending emails from servers in your domains, you "only" have to worry about PTR and SPF (in TXT records), or even maybe DKIM depending on what you do, to make sure that emails originating from your servers will get accepted by remote servers (and not refused because seen as spam, etc...) – Patrick Mevzek Mar 09 '18 at 01:53

2 Answers2

2

Certificates on a server consist of three parts:

First the private key: This is either generated by the application itself or using a tool like openssl. The private key is the most important part here and needs to be kept secret as everybody who has the key can impersonate your servers.

It is usually protected by a password.

Using the private key you generate a so called "CSR", that is a certification request. You send that to an authority to generate a certificate from it.

The request contains data about your company (Country, Location, Companyname, city, some of them optional) and all hostnames that the certificate should be valid for (1-n), this feature is called "subject alternative names

This certificate is the second part needed.

The third part is the certificate chain (meaning all the certificates that where involved when creating your certificate). You usually get the chain from the authority together with your certificate. Otherwise you can always download it from the website of the authority.

Knowing these facts it is easy to conclude that:

as long

  • as you have the three parts (most important the private key)
  • as your server software (mail server, web server, whatever) allows the import of an external private key
  • as the hostname of the server matches at least ONE of the subject alternative names in the certificate (or the certificate is a wildcard certificate)

you can use ONE Certificate for as many servers as you want to.

Decoupling is not a problem at all.

Tode
  • 1,013
  • 9
  • 13
  • Thank you for your reply. I already have in place Let's Encrypt certificates for my domains, which include the auto-renewal tool. If you're suggesting that I use the same certificate on both machines, can you please suggest a way I can keep both machines in sync? Or in this case would I need to copy it to the second machine every time I replace the certificate? – goncalotomas Mar 07 '18 at 18:16
1

You have already highlighted the main steps of this process: certificates and delegating mail services from web to mail server.

Regarding the certificates I would recommend to use different hostnames for mail and web server and as well different certificates.

As you are using Let's Encrypt - most use cases of its tools are for web servers. The ACME protocol needs a check that you are in control of your domain name. This works fine with web resources. The certbot (or any other tool supporting ACME) will put a simple file into your webroot and tells Let's Encrypt to check it via HTTP or HTTPS request.

For your mail server this doesn't work. But if you use any compatible DNS provider (such as Amazon Route 53 or DNS Made Easy or ...) you can do the same without a web server.

See following list regarding supported DNS provider plug-ins in Certbot:

--dns-cloudflare      Obtain certificates using a DNS TXT record (if you are
                      using Cloudflare for DNS). (default: False)
--dns-cloudxns        Obtain certificates using a DNS TXT record (if you are
                      using CloudXNS for DNS). (default: False)
--dns-digitalocean    Obtain certificates using a DNS TXT record (if you are
                      using DigitalOcean for DNS). (default: False)
--dns-dnsimple        Obtain certificates using a DNS TXT record (if you are
                      using DNSimple for DNS). (default: False)
--dns-dnsmadeeasy     Obtain certificates using a DNS TXT record (if you
                      areusing DNS Made Easy for DNS). (default: False)
--dns-google          Obtain certificates using a DNS TXT record (if you are
                      using Google Cloud DNS). (default: False)
--dns-luadns          Obtain certificates using a DNS TXT record (if you are
                      using LuaDNS for DNS). (default: False)
--dns-nsone           Obtain certificates using a DNS TXT record (if you are
                      using NS1 for DNS). (default: False)
--dns-rfc2136         Obtain certificates using a DNS TXT record (if you are
                      using BIND for DNS). (default: False)
--dns-route53         Obtain certificates using a DNS TXT record (if you are
                      using Route53 for DNS). (default: False)

See following example how it works for Amazon's Route53:

# set AWS API credentials
export AWS_ACCESS_KEY_ID="1234567890"
export AWS_SECRET_ACCESS_KEY="ABCDEFGHIJKLMNOPQRSTUVWXYZ"

# create a certificate
certbot certonly --noninteractive --agree-tos -m webmaster@example.com \n
  --no-eff-email --dns-route53 --rsa-key-size 4096 \n 
  -d mail.example.com -d smtp.example.com -d imap.example.com

As you can see in the last line of my given example, Let's Encrypt supports multi domain certificates. If your mail server listens to multiple domains, you have to go this way. SMTP or IMAP doesn't support SNI like HTTPS does.

The second step is to forward your mail from your web server to the mail server. As its best practice to have for each service a separate server Linux/Unix will use local mail for many cases. So you should not remove Postfix entirely from your web server. Change the Postfix setup to the so called "satellite" setup. Here your Postfix will forward mails to a relay server and provides SMTP only for local services (socket and/or localhost:25).

If you are using Debian or Ubuntu you can reconfigure Postfix via:

dpkg-reconfigure postfix

In the satellite setup you will be asked for a mail relay server. Enter here the domain name of your new mail server (e.g. mail.example.com).

In your mail server setup you should enable the IP address of your web server as trusted source for mail relaying. A good approach is using the Postfix configuration directive permit_mynetworks.

Jens Bradler
  • 6,503
  • 2
  • 17
  • 13
  • Great answer, thanks! Can you please elaborate further on the DNS changes I would have to make to be able to get the certificates in the mail server? Can you recommend any guides/documentation for properly setting up postfix using your suggested "satellite" setup? – goncalotomas Mar 08 '18 at 11:32
  • I have added an example of how it works with Amazon's Route 53 as well as a list of current supported plug-ins for other DNS providers. – Jens Bradler Mar 11 '18 at 17:42