Let ecnrypt SSL with one IP

Questions and answers about how to do stuff
Post Reply
jamerson
Posts: 141
Joined: 19 Aug 2017 18:57
Location: kaaskop

Let ecnrypt SSL with one IP

Post by jamerson » 05 Dec 2017 00:35

Dear All,
Today we have implented the let's ecnrypt for our of our customers.
the Customer owns 1IP and we are using port 443 for the Exchange OWA.
does this means we won't be able to renew the SSL after it expired ?

the WAN IP has a PTR , A Record and MX record pointing to the Exchange.

Can you please advies either is the right configuration or we have to do something else?

Kind Regands
Julien
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

Zwabber
Posts: 60
Joined: 14 Feb 2016 21:26

Re: Let ecnrypt SSL with one IP

Post by Zwabber » 06 Dec 2017 08:24

Then you need a reverse proxy to host multiple HTTPS sites behind 1 ip address.
There are several solutions to built your own reverse proxy server like IIS, Nginx, Apache etc.

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 08 Dec 2017 07:34

And it's not simple, especially with OWA mixed in.

I've not yet been able to reverse proxy OWA (2007).

jase72
Posts: 20
Joined: 21 Jul 2017 09:06

Re: Let ecnrypt SSL with one IP

Post by jase72 » 08 Dec 2017 16:27

To "answer" a question with a question; can you (easily) configure efa on an alternate port?

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 08 Dec 2017 17:34

I believe so, yes.

If anyone has done it, could you speak up?

(Personally, I’d never leave the efa UI publically accessible)

Zwabber
Posts: 60
Joined: 14 Feb 2016 21:26

Re: Let ecnrypt SSL with one IP

Post by Zwabber » 08 Dec 2017 20:45

pdwalker wrote:
08 Dec 2017 07:34
And it's not simple, especially with OWA mixed in.

I've not yet been able to reverse proxy OWA (2007).
Thats right, it's not simple. If you use nginx as reverse proxy, i have a working config for OWA (2016) wich i can share/send if you want.

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 11 Dec 2017 04:13

Please!

It may not work with OWA 2007, but it's worth a shot.

Thank you!

Odon Garma
Posts: 29
Joined: 08 May 2017 14:10

Re: Let ecnrypt SSL with one IP

Post by Odon Garma » 11 Dec 2017 09:58

i'm running an IIS on the public IP. This Server is holding a reverse Proxy to OWA 2016, and a second reverse Proxy to EFA - works like a charme.

Greetz

jamerson
Posts: 141
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Let ecnrypt SSL with one IP

Post by jamerson » 05 Jan 2018 11:16

pdwalker wrote:
08 Dec 2017 17:34
I believe so, yes.

If anyone has done it, could you speak up?

(Personally, I’d never leave the efa UI publically accessible)
If the EFA is not publicly avaiallbe, how are the external users will be able to delever the blocked emails if they are on the go?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 05 Jan 2018 18:13

If the EFA instance is not publicly available, then they cannot - unless they are running a VPN back to the office.

jamerson
Posts: 141
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Let ecnrypt SSL with one IP

Post by jamerson » 28 Jan 2018 01:35

pdwalker wrote:
05 Jan 2018 18:13
If the EFA instance is not publicly available, then they cannot - unless they are running a VPN back to the office.
Hi Paul we managed to get the EFA online.
i remember you advising not the leave the EFA availble to the internet.
if we dont allow port 443/80 the ssl of the efa won't be renewed.
can you correct me if i am mistaken ?
thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 29 Jan 2018 06:43

That is correct.

In my case, my EFA instance is only allowed smtp connections from the outside world, so therefore I do not allow EFA to use let's encrypt. I am more than happy to have my browsers accept the efa self signed ssl certs, or ignore the browsers warning because I know it's my installation.

Also - see my previous comment about allowing the web interface to be accessed via the internet - any 0 day php/apache/mailwatch bug will leave your system exposed wide open, which is much less likely to happen(1) if that is not allowed to talk to the internet at all(2).

(1) I can think of scenarios where this still can be bypassed, but it's lower probability
(2) of course, smtp is exposed, but I suspect that the security of postfix is much, much, higher than a php based web interface

If I decided I wanted to run let's encrypt on my system, then I'd use a reverse proxy with ssl termination using nginx. nginx would handle the ssl encryption, and the let's encrypt certificates, while any requests to efa would be passed back to the efa box via nginx. This would allow me to either (a) expose efa to the internet and get let's encrypt running, or (b) not expose efa to the internet, but allow internal clients to connect to efa and use the let's encrypt certificate.

In the end, it really comes down to - what do you want to do with let's encrypt exactly and why?

jamerson
Posts: 141
Joined: 19 Aug 2017 18:57
Location: kaaskop

Re: Let ecnrypt SSL with one IP

Post by jamerson » 31 Jan 2018 14:57

Thank you Paul for the explain.
the users on the go( off office), sometimes they need to allow some blocked emails,if they open the EFA message to deliever a blocked email.
if the https/http not open on the internet it won't works.
i completely agree with you about exposing the EFA to the internet is not a smart idea even with a 128bit password.
can you advise a best solutions in order to get this well configured ?
Thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!

User avatar
pdwalker
Posts: 1202
Joined: 18 Mar 2015 09:16

Re: Let ecnrypt SSL with one IP

Post by pdwalker » 31 Jan 2018 16:35

VPN, or don’t block possible spam. Let it through.

ClamAV catches most of the macro viruses and Trojan links, so unless your users are completely stupid, they’ll recognize spam and delete it rather than read and click on all the links.

That works for me and my users. We’d rather get some spam than miss an important email because it was flagged improperly and blocked.

Post Reply