Not sure if this is a bug or an actual feature, but I noticed that every time we install a mailserver SSL on a mail. subdomain of a newly added addon, the “myhostname” in /etc/postfix/main.cf gets automatically set as that latest installed mailserver subdomain?
This was replicated and happening in 2.3.8 and 2.3.9 versions, I never noticed such issue while using other versions prior to these.
We have to manually change it back to the main actual hostname as setting it to random new add-on subdomain hostnames changes the HELO for emails and causes deliverability issues.
Is this a bug and if not, what’s even the purpose of this?
And more importantly - how to fix/avoid this? Is it safe to put “chattr +i /etc/postfix/main.cf” for disabling permissions of the file editing, or?
The SSL certificate for the mail server should not be issued repeatedly; it should only be issued for the domain against which your RDNS is set. If you watch the referenced video, I have explained this in detail → Achieve 10/10 Email score with CyberPanel!
Additionally, if you are trying to issue the certificate for configuring an email client, that follows a different procedure. CyberPanel handles this configuration automatically. For more details, you can refer to this article. → 6 - Self-signed SSL error on Outlook/Thunderbird
But this is a bit different - if there are multiple websites hosted on CyberPanel, we use each of theirs MAIL.domain.tld value as a hostname for configuring email clients, so installing mail server SSL on each of them is needed, otherwise the hostname won’t pass SSL ports, and the “manage SSL” section doesn’t allow issuing SSL on mail subdomains;
While doing this, we leave the postfix hostname as the main actual hostname of CyberPanel (for ex. srv5.main.tld) which has the PTR pointed against it.
We’ve used this approach for multiple hosted websites on few different CyberPanel servers for about a year and never had any issues with this, besides noticing now, that installing mailserver SSLs changes the postfix hostname, so we have to manually change it back. (emails pass 10/10 scores, everything is showing as configured properly on tests, deliverability is good)
Could you please elaborate on this, is this a wrong approach and if so, what should we do instead?
P.S. I have reviewed the articles attached, we have all domains set up correctly with DNS and on required mailing platforms, so that is not an issue,
Yes, this is exactly what I am saying. CyberPanel has likely automatically issued SSL for the main domains on your other VPS instances, as it usually does. However, the mail SSL should only be issued once for the main domain against for which RDNS is set.
Sorry, I still don’t quite get your point? When new domains are added to the server, for migration purposes they are usually not yet pointed to CP VPS IP’s, so we install main SSL (manage SSL section) on the main domain, and then mail server SSL for each addon’s mail. subdomain later, once we’re done with the migrations, so that way SSLs wouldn’t be installed automatically during adding, and if we don’t install mailserver SSLs on their mail subdomains, we can’t use them for configurnig email clients with SSL ports, is that a bit clearer?
Whenever a domain is added in CyberPanel, it automatically creates its subdomains in the background. For example, if we create a website called cyberpanel.net in CyberPanel, it will automatically generate mail.cyberpanel.net, issue an SSL certificate for it, and configure it within Dovecot and Postfix.
Even if the DNS is not pointed at that time, CyberPanel periodically checks, and once the DNS is correctly pointed, it sets up the SSL. In this case, it might be a one-off issue. You can contact our support, and we will check it for you.