Page 1 of 1

Let ecnrypt SSL with one IP

Posted: 05 Dec 2017 00:35
by jamerson
Dear All,
Today we have implented the let's ecnrypt for our of our customers.
the Customer owns 1IP and we are using port 443 for the Exchange OWA.
does this means we won't be able to renew the SSL after it expired ?

the WAN IP has a PTR , A Record and MX record pointing to the Exchange.

Can you please advies either is the right configuration or we have to do something else?

Kind Regands
Julien

Re: Let ecnrypt SSL with one IP

Posted: 06 Dec 2017 08:24
by Zwabber
Then you need a reverse proxy to host multiple HTTPS sites behind 1 ip address.
There are several solutions to built your own reverse proxy server like IIS, Nginx, Apache etc.

Re: Let ecnrypt SSL with one IP

Posted: 08 Dec 2017 07:34
by pdwalker
And it's not simple, especially with OWA mixed in.

I've not yet been able to reverse proxy OWA (2007).

Re: Let ecnrypt SSL with one IP

Posted: 08 Dec 2017 16:27
by jase72
To "answer" a question with a question; can you (easily) configure efa on an alternate port?

Re: Let ecnrypt SSL with one IP

Posted: 08 Dec 2017 17:34
by pdwalker
I believe so, yes.

If anyone has done it, could you speak up?

(Personally, I’d never leave the efa UI publically accessible)

Re: Let ecnrypt SSL with one IP

Posted: 08 Dec 2017 20:45
by Zwabber
pdwalker wrote:
08 Dec 2017 07:34
And it's not simple, especially with OWA mixed in.

I've not yet been able to reverse proxy OWA (2007).
Thats right, it's not simple. If you use nginx as reverse proxy, i have a working config for OWA (2016) wich i can share/send if you want.

Re: Let ecnrypt SSL with one IP

Posted: 11 Dec 2017 04:13
by pdwalker
Please!

It may not work with OWA 2007, but it's worth a shot.

Thank you!

Re: Let ecnrypt SSL with one IP

Posted: 11 Dec 2017 09:58
by Odon Garma
i'm running an IIS on the public IP. This Server is holding a reverse Proxy to OWA 2016, and a second reverse Proxy to EFA - works like a charme.

Greetz

Re: Let ecnrypt SSL with one IP

Posted: 05 Jan 2018 11:16
by jamerson
pdwalker wrote:
08 Dec 2017 17:34
I believe so, yes.

If anyone has done it, could you speak up?

(Personally, I’d never leave the efa UI publically accessible)
If the EFA is not publicly avaiallbe, how are the external users will be able to delever the blocked emails if they are on the go?

Re: Let ecnrypt SSL with one IP

Posted: 05 Jan 2018 18:13
by pdwalker
If the EFA instance is not publicly available, then they cannot - unless they are running a VPN back to the office.

Re: Let ecnrypt SSL with one IP

Posted: 28 Jan 2018 01:35
by jamerson
pdwalker wrote:
05 Jan 2018 18:13
If the EFA instance is not publicly available, then they cannot - unless they are running a VPN back to the office.
Hi Paul we managed to get the EFA online.
i remember you advising not the leave the EFA availble to the internet.
if we dont allow port 443/80 the ssl of the efa won't be renewed.
can you correct me if i am mistaken ?
thank you

Re: Let ecnrypt SSL with one IP

Posted: 29 Jan 2018 06:43
by pdwalker
That is correct.

In my case, my EFA instance is only allowed smtp connections from the outside world, so therefore I do not allow EFA to use let's encrypt. I am more than happy to have my browsers accept the efa self signed ssl certs, or ignore the browsers warning because I know it's my installation.

Also - see my previous comment about allowing the web interface to be accessed via the internet - any 0 day php/apache/mailwatch bug will leave your system exposed wide open, which is much less likely to happen(1) if that is not allowed to talk to the internet at all(2).

(1) I can think of scenarios where this still can be bypassed, but it's lower probability
(2) of course, smtp is exposed, but I suspect that the security of postfix is much, much, higher than a php based web interface

If I decided I wanted to run let's encrypt on my system, then I'd use a reverse proxy with ssl termination using nginx. nginx would handle the ssl encryption, and the let's encrypt certificates, while any requests to efa would be passed back to the efa box via nginx. This would allow me to either (a) expose efa to the internet and get let's encrypt running, or (b) not expose efa to the internet, but allow internal clients to connect to efa and use the let's encrypt certificate.

In the end, it really comes down to - what do you want to do with let's encrypt exactly and why?

Re: Let ecnrypt SSL with one IP

Posted: 31 Jan 2018 14:57
by jamerson
Thank you Paul for the explain.
the users on the go( off office), sometimes they need to allow some blocked emails,if they open the EFA message to deliever a blocked email.
if the https/http not open on the internet it won't works.
i completely agree with you about exposing the EFA to the internet is not a smart idea even with a 128bit password.
can you advise a best solutions in order to get this well configured ?
Thank you

Re: Let ecnrypt SSL with one IP

Posted: 31 Jan 2018 16:35
by pdwalker
VPN, or don’t block possible spam. Let it through.

ClamAV catches most of the macro viruses and Trojan links, so unless your users are completely stupid, they’ll recognize spam and delete it rather than read and click on all the links.

That works for me and my users. We’d rather get some spam than miss an important email because it was flagged improperly and blocked.