I've a postfix server which has multi domains and I want to have a specific cert per each. My server has only one IP.
I've found a solution with multi IP, but without I don't know how to do this.
- Server : Debian 9
- Postfix : 3.1.8
Asked
Active
Viewed 1.7k times
18
-
My server is hosting multi domains and I manage every DNS zone. Each domain has a DNS record which is pointing on the same server. Then, I want to configure Postfix and dovecot to use one certificate per domain. Hope it's clear your mind – DSX Aug 31 '18 at 22:38
-
First, I prefer to have one certificate per domain to keep separation between each domains. Second, if you add your mail on Gmail, if you serve a generic certificate for each mail with a different domain, it will be refused because of mismatching CN. – DSX Aug 31 '18 at 23:15
4 Answers
25
If you are on Postfix >=3.4, consider the following steps below as adapted from this link:
Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.
Step 4: Run systemctl restart postfix.
Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp
Someone Special
- 183
- 2
- 9
Hifihedgehog
- 361
- 3
- 4
8
For those who doesn't know, the SNI table needs to be rebuilt each time a certificate changes as the underlying table is generated with postmap -F which imports the file content (it does not just store references to the file names).
postmap -F hash:/etc/postfix/tls_server_sni_maps.map
peris
- 508
- 2
- 9
- 27
4
As far i know there is no working SNI in postfix . Yet. Docs ( http://www.postfix.org/TLS_README.html ) say that "There are no plans to implement SNI in the Postfix SMTP server.", though Victor mentioned in January that he wants to add SNI support to postfix 3.4 . Alternatives :
- multiple ip
- certificate containing all domain names.
Also there is nothing wrong with having the same MX for all domains. MX hostname being your service domain or something. Also helo/ehlo name configured to the same/similar hostname . If its good for GoogleApps and other major email providers, then its good for us too.
Sandor Marton
- 1,564
- 9
- 12
-
This answer is no longer correct. See below and see Postfix documentation: https://www.postfix.org/postconf.5.html#tls_server_sni_maps – Wyatt O'Day Jul 28 '22 at 16:29
2
Postfix version 3.4 now supports SNI and it's therefore available in Ubuntu 19.10, for example.
Also, there IS a good reason for wanting this - clients such as Outlook attempt autoconfiguration using a servername that matches the email domain name. If your mail account is at Gmail or another shared domain this is not a problem, but a personal domain hosted on a server (even a VPS) with multiple domains needs a solution like this
Phil McKerracher
- 346
- 1
- 6