This is a welcome and long overdue workaround guide. I sampled SymJessie earlier this year but reverted to Symwheezy due to Letsencrypt cert update nightmares and the requirement to use the FQDN for email settings. For me this presented the following issues:
- Domains cannot be migrated without major email account chaos
- For the mail settings use of the FQDN looks unprofessional and is difficult to input correctly
- Letsencrypt cert updates cannot always be accepted by iPhone users
I was hoping that all of the above issues might be resolved with the advent of SymStretch but I gather not; particularly the SNI issue. As I'd really like to take advantage of SymJessie's enhanced security features I thought I'd better take another look; so I setup another SymJessie machine earlier this past week.
During the setup process I requested a Letsencrypt certificate for the hostname vice using a self-signed certificate. I thought use of a Letsencypt certificate would overcome mail client certificate verification prompts/ complaints. During connection to the mail server I'm receiving the same certificate verification prompts that are prevalent with self-signed certificates. Correct me if I'm wrong but it does appear that the only way to overcome mail cert verification complaints would be to install a professional certificate right?
BUT on the bright side at least I can now look at sites via https without browser complaints.
During my initial experience with SymJessie I categorically wasn't able to send mail from iPhone without setting the FQDN for mail out. However, some months on I'm now able to send from iPhone using example.com vice the FQDN for mail out; perhaps due to iOS updates. Moreover, this is using the vm's original configuration (without any config changes) but I'm seeing some cert verification complaints (perhaps because there's a mismatch between the FQDN Letsencrypt cert and the example.com mail settings) right? On the plus side the iPhone is permitting use of the Letsencrypt FQDN cert and I'm able to send and receive email!
More to follow as I get my head around Paul's workaround..
A few hours later:
I've just put Paul's Letsencrypt cert for email and FTP workaround to the test using a spare domain on the server (seafreedom.com) Things went v smoothly until I ran the following command:
openssl s_client -connect localhost:21 -starttls ftp < /dev/null 2> /dev/null | grep "subject="
but the expected output (subject=/CN=seafreedom.com) failed to show for some reason!
Regardless I tested the config changes. When connecting to the mail server a Letsencrypt cert was presented bearing the name of seafreedom.com rather than the default FQDN! I thought we had it cracked, but there's a 'gotcha' - my Apple tablets and handhelds would not display an option for accepting/trusting the new certificate.
The guide works albeit previously established email accounts on tablets and handhelds might be unhappy about switching certs - the workaround in my case was to delete and reload the email account in order to force the 'trust cert option' to show. Quirky but at least it works!