3

Postfix by default uses ports 25, 465 and 587. In my configuration, I enabled TLS encryption using the option smtpd_use_tls=yes in postfix's main.cf. This makes all smtp communications encrypted as far as I understand.

Since postfix takes only 1 certificate and doesn't support SNI, I would like to use nginx as a proxy to have the encryption decided by nginx based on SNI and domain name, as a proxy, and not by postfix.

I'm confused about the changes I have to do in postfix, and I would appreciate your help. Here are my questions:

1) When I send e-mails through my server, I use port 25. But what about receiving mail? Should I change all these ports that postfix uses (to replace them by nginx)? or just port 25 is enough?

2) When I use nginx as proxy, should I disable encryption in postfix? If I understand this whole thing correctly, then the internal proxy communication between nginx and postfix doesn't need encryption, so I should disable encryption once I start configuring that proxy using smtpd_use_tls=no, right?

I you require any additional information, please ask.

The Quantum Physicist
  • 658
  • 2
  • 11
  • 26

1 Answers1

1

Mail servers are expected to verify the PTR of each server sending them emails, so what you are trying to do is not going to work anyway. You can't proxy because of multiple domain names.

In postfix, you define all the names that can receive emails with:

mydestination=$myhostname, example.com, other-example.com, yet-another.com

For sending, however, you must make sure that $myhostname is authorized to send emails for the other domain names. On my end I make sure that the following names are set to the same value:

myhostname = example.com                                                          
mydomain = example.com                                                            
myorigin = example.com

(you probably can use the $myhostname in mydomain and myorigin).

For the certificate, I only use the one for the main domain name:

smtpd_tls_cert_file = fullchain.pem
smtpd_tls_key_file = privkey.pem
smtpd_tls_security_level = may

I do not really understand the Nginx proxy documentation for the mail system. It seems to do the authentication and there is no destination defined, so I have no clue how that could possibly work.

Alexis Wilke
  • 2,210
  • 1
  • 20
  • 37