Postfix, multi domains and multi certs on one IP

ssl ssl-certificate postfix

I've a postfix server which has multi domains and I want to have a specific cert per each. My server has only one IP.

I've found a solution with multi IP, but without I don't know how to do this.

  • Server : Debian 9
  • Postfix : 3.1.8

As far i know there is no working SNI in postfix . Yet. Docs ( http://www.postfix.org/TLS_README.html ) say that "There are no plans to implement SNI in the Postfix SMTP server.", though Victor mentioned in January that he wants to add SNI support to postfix 3.4 . Alternatives :

  • multiple ip
  • certificate containing all domain names.

Also there is nothing wrong with having the same MX for all domains. MX hostname being your service domain or something. Also helo/ehlo name configured to the same/similar hostname . If its good for GoogleApps and other major email providers, then its good for us too.


If you are on Postfix >=3.4, consider the following steps below as adapted from this link:

Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:

---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
smtpd_tls_chain_files =
    /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
    /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
---

Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:

---
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
---

Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.

Step 4: Run systemctl restart postfix.

Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp

Related

Single Person ISV, What Type of Server Hardware do you Recommend? [closed]
MySQL monitoring tools
Cannot delete an existing service using sc command: The specified service does not exist as an installed service
How do you check the version of a *.ko kernel module in Linux?
Opinions on hosting servers in-house
How do I convert wireshark capture files to text files?
Run (GNU) Screen from script
How can I see my user roles on the Windows machine I'm logged into?
How can I see who is connected to my db?
Amazon EBS charges calculation
Is it possible to create Custom Error Log in Apache 2.2?
How can I verify that an RTMP stream URL is working?