Configurable SANs in Mail TLS certificates

[krejcar25]

At this moment a certificate from Traefik (as far as I understood) is used for TLS communication with Postfix & Dovecot servers. However the address used is often different from the hostname of the mail system. A user might want to use mail.example.com for access but the server itself might be on hostname server1.example.com. Multiple domains might be hosted on the same server, further proving this with, for user convenience, having a mail.example.net domain.

Proposed solution

The Mail app Settings interface should contain a section where names can be configured that are used to access the mail system, which would then be used to request the certificate. A simple textarea element where each line is one SAN in the certificate should be enough IMO.

Alternative solutions

The Mail app Settings interface might include a section administrators can select which certificate of the ones Traefik currently has should be used instead of selecting it without user input. This would come paired with the ability to request a certificate from the configured ACME server (eg. Let's Encrypt) with multiple SANs, maybe simply by delimiting the domains with a comma or a space.

See also

• Never answered: Certificate for MAIL on NS8
• Would only solve access to webmail: TLS certificate error with mail host aliases

[DavidePrincipi]

INVALID

Hi Amelie, thanks for your proposals!

I'm closing this issue for now: as you pointed out, there are ongoing discussions on community and we are still far from implementation (https://nethserver.github.io/ns8-core/development_process/#issues).

Please join those discussions!