Self-signed certificate, resulting in security warnings in the browser

[Avyaan8733]

When running Postal using its built-in Rails webserver, the main (primary) domain is served with a self-signed TLS certificate. In contrast, any additional domains configured for click and open tracking automatically receive valid Let's Encrypt certificates. This inconsistency causes browser warnings when users access tracking links from the primary domain.

To Reproduce

Set up Postal:
Configure Postal with a primary DNS domain for tracking.
Add Additional Domains:
Add one or more extra domains that point (via DNS CNAME or A records) to the primary domain. These additional domains will have TLS certificates automatically generated by Let's Encrypt.
Access the Tracking URL:
Open a tracking URL served by the primary domain.
Observe the Certificate:
Notice that while additional domains use valid Let's Encrypt certificates, the primary domain for tracking displays a self-signed certificate, resulting in security warnings in the browser.

dns:
mx_records:
- mx1.postal.example.com
- mx2.postal.example.com
spf_include: spf.postal.example.com
return_path_domain: rp.postal.example.com
route_domain: routes.postal.example.com
track_domain: track.postal.example.com (This displays a self-signed certificate, resulting in security warnings in the browser)

Expected behaviour

The primary domain should be served with a valid TLS certificate (e.g., generated via Let's Encrypt), just like the additional domains. This would eliminate certificate warnings and ensure consistent secure connections across all domains or simply make it inaccessible externally.

[willpower232]

The instructions may generate a self signed certificate but everyone has their own way of proxying to the Postal processes that it mostly ends up down to everyone to set up real certificates to their own tastes.

[willpower232]

I'm presuming you're using nginx so you just need to add another server block for the tracking domain and another cert with however you're making them?

You do have to pass through an additional header to make Postal switch into the click tracking so worth double checking that too.

[Avyaan8733]

I'm presuming you're using nginx so you just need to add another server block for the tracking domain and another cert with however you're making them?

You do have to pass through an additional header to make Postal switch into the click tracking so worth double checking that too.

Yes, I'm using Ngnix. I already tried to add another block, but the "default" TLS is listening on own Ruby web server. There is no documentation about how to include this additional header and what will happen to other TLS renews and tracking. Is there?

[willpower232]

https://docs.postalserver.io/features/click-and-open-tracking#configuring-your-web-server

You'll need to add an appropriate virtual host on your web server that proxies traffic from that domain to the Postal web server. The web server must add the X-Postal-Track-Host: 1 header so the Postal web server knows to treat requests as tracking requests.

Newer Postal does not deal with certificates for tracking domains so you must manage that yourself and restart your nginx however you do currently.

There isn't any specific documentation for each proxying software but most of the examples are for Caddy as its a bit easier to get started with from scratch than nginx.

[Avyaan8733]

I have Postal v1, which deploys automatically TLS for click.example.com. It is valid, works pretty fine. There are too many different domains already configured, I don't want to change all. The only thing I need is make track.postalinstallation.com safe or hide it. If there is no other way, I will try to rewrite Postal to archive it.

[willpower232]

ah yeah, definitely recommend updating when you get the chance! pretty hard to support v1 at this point I'm afraid.