Closed naddika closed 8 months ago
If you don't want to use MTA-STS and autoconfig, you could disable MTA-STS for each domain (in domains.conf) and disable autoconfig (in mox.conf), and remove the key/cert pair in mox.conf for them. MTA-STS makes SMTP delivery with STARTTLS required, so I would try to keep that enabled. Autoconfig is useful for some email clients, making it easier to set up a new account. I would at least try to keep MTA-STS enabled.
Without MTA-STS and autoconfig, I think that should leave only 1 pair, for the hostname itself (if you have a 4th pair, for what domain is it?). KeyFile should point to privkey.pem. I'm pretty sure CertFile should point to chain.pem. It's likely fullchain.pem includes the root certificate, but there's no point sending that to TLS clients: Either they already have it and trust it, or they don't have it and won't trust it even if you send it.
Keep in mind the certificate should be for the hostname where mox is running (e.g. mail.yourdomain.example), not for your domain directly (so not for yourdomain.example). With a certificate for the domain, TLS certificate verification will fail during SMTP STARTTLS due to hostname mismatch.
Mox also includes a webserver. It can serve static files and serve as reverse proxy. It's easily configurable (through config file and web admin that updates the config file). It does transparent and cached compression. And it will automatically fetch TLS certificates for new domains you add, through let's encrypt. So it could be worth trying to use it. It has made my life simpler (I used to run nginx too).
Keep in mind that mox does not currently automatically refresh certificates from disk. So you should probably configure some kind of hook in the tool that fetches certificates (certbot?) that restarts mox after a certificate refresh.
Mox also includes a webserver. It can serve static files and serve as reverse proxy. It's easily configurable (through config file and web admin that updates the config file). It does transparent and cached compression. And it will automatically fetch TLS certificates for new domains you add, through let's encrypt. So it could be worth trying to use it. It has made my life simpler (I used to run nginx too).
You suggest that I switch to the websever of mox for multiple websites that I run on the same machine and for which I now use nginx?
If you don't want to use MTA-STS and autoconfig, you could disable MTA-STS for each domain (in domains.conf) and disable autoconfig (in mox.conf), and remove the key/cert pair in mox.conf for them. MTA-STS makes SMTP delivery with STARTTLS required, so I would try to keep that enabled. Autoconfig is useful for some email clients, making it easier to set up a new account. I would at least try to keep MTA-STS enabled.
The question is also which file-certificate of Letscrypt to use for MTA-STS and Autoconfig.
I'm pretty sure CertFile should point to chain.pem.
Didn't work. Worked with cert1
and fullchain1
You suggest that I switch to the websever of mox for multiple websites that I run on the same machine and for which I now use nginx?
Yes. (: If it is an option of course. And that depends on whether you're using features of nginx that mox doesn't support. I've implemented everything I needed, but some more functionality could be added. Though mox is not going to be as configurable as nginx.
The question is also which file-certificate of Letscrypt to use for MTA-STS and Autoconfig.
I think I don't understand the question. Your directory listing is for domain123.com. For MTA-STS I would expect a directory mta-sts.domain123.com with the same set of files as the listing earlier. And for autoconfig a directory autoconfig.domain123.com. For your mail host I would expect something like
Didn't work. Worked with cert1 and fullchain1
What was in those files? I would expect cert1 to be a single certificate, without intermediates. And chain1 to contain cert1 + 1 or more intermediates. And fullchain1 to be cert1 + intermediates + root. If using just cert1 seems to work, that may be because your devices happen to already know about the intermediates from other TLS connections. But not all devices may already know those intermediates, and some may see TLS connectivity issues. So I think you should load the intermediates.
1) Ok. But the webserver of Mox isn't an option
2) Ok
3) Mox wouldn't even start - would fail at startup when I was using chain1
-- invalid format of the certificate
or something similar. With the other 2 it at least would start. But I haven't tested it in the browser yet.
mox, when run with the flag
-existing-webserver
, will generate this config:And these existing LetsEncrypt ones:
Which of these should I add into the
mox.conf
? There're 4 pairs inmox.conf
. Should I remove 3 of them leaving 1?And for the 1 left, which 2 out of the 4 in
/etc/letsencrypt/live/domain123.com
should I use inmox.conf
?For instance, in nginx config I'll use the
fullchain
andprivkey
one. Butmox
requires achain
one which is different already.