SSL Certificate name for ftp and email

I’m testing Sympl with a couple of non-critical domains. The hosted domains have their own LE certificates which work for the web site. I got FTPS to work, but note that FTP uses the certificate whose CN is the machine’s hostname, not the hosted domain.
Is that as it should be, or have I missed a way to assign the hosted domain certificate for FTP?

Related: I haven’t tried setting up IMAP or SMTP yet, but will that also need clients to use the machine hostname instead of the domain name in order to prevent a certificate mismatch? I remember that was a bit of problem with Symbiosis.

Update: the next version of pure-ftpd (not the one in Debian 10) will support SNI, which is intended to get round this problem.
Or does Sympl have a clever alternative that I’ve missed?
The question about IMAP and SMTP remains open, but I’m going to try that out now…

From what I remember, Sympl’s IMAP and SMTP servers both have SNI support.

Andy

Yes, the version of pure-FTPd with SNI support missed being included in Debian 10, so it’s a waiting game there, unfortunately.

This is correct!

Full SNI support for email is enabled by default in all versions of Sympl, and it’ll automatically adjust the configuration of Dovecot as needed.

Yes, confirmed and I have email working now. - thanks both!

Related question: Can Sympl get LE certificates for subdomains other than www (mail…, ftp…, for example)? Less important if it can’t be done easily, but I know LetsEncrypt can in principle do a single cert for a specified set of subdomains.

Edited to add: looks like including the www subdomain is hard coded into
/usr/lib/ruby/vendor_ruby/symbiosis/domain.rb - OK, I can live with that!

Yea, the www. Is hardcover in, but it’ll be configurable later on, and you don’t have to have the DNS pointing at the server.

if you want to add aliases (mail, ftp, etc) you can just add them as normal aliases (ie: symlinks to the target in /srv) and Sympl will update the cert with the extra names, although you may want a .htaccess redirect for any web traffic to them.

Thanks - I didn’t know making that kind of alias would add it to the certificate. Not worth the trouble for now, I think, but I might use it when subdomains become configurable for inclusion on the certificate.

It’s worth mentioning that there are plans to enable wildcard certificates via Let’s Encrypt also, so that would cover subdomans and anything else.

1 Like