Postfix, multi domains and multi certs on one IP
Solution 1
As far i know there is no working SNI in postfix . Yet. Docs ( http://www.postfix.org/TLS_README.html ) say that "There are no plans to implement SNI in the Postfix SMTP server.", though Victor mentioned in January that he wants to add SNI support to postfix 3.4 . Alternatives :
- multiple ip
- certificate containing all domain names.
Also there is nothing wrong with having the same MX for all domains. MX hostname being your service domain or something. Also helo/ehlo name configured to the same/similar hostname . If its good for GoogleApps and other major email providers, then its good for us too.
Solution 2
If you are on Postfix >=3.4, consider the following steps below as adapted from this link:
Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:
---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
---
Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:
---
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
---
Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.
Step 4: Run systemctl restart postfix.
Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp
Solution 3
For those who doesn't know, the SNI table needs to be rebuilt each time a certificate changes as the underlying table is generated with postmap -F
which imports the file content (it does not just store references to the file names).
postmap -F hash:/etc/postfix/tls_server_sni_maps.map
Solution 4
Postfix version 3.4 now supports SNI and it's therefore available in Ubuntu 19.10, for example.
Also, there IS a good reason for wanting this - clients such as Outlook attempt autoconfiguration using a servername that matches the email domain name. If your mail account is at Gmail or another shared domain this is not a problem, but a personal domain hosted on a server (even a VPS) with multiple domains needs a solution like this
Related videos on Youtube
DSX
Updated on September 18, 2022Comments
-
DSX over 1 year
I've a postfix server which has multi domains and I want to have a specific cert per each. My server has only one IP.
I've found a solution with multi IP, but without I don't know how to do this.
- Server : Debian 9
- Postfix : 3.1.8
-
DSX over 5 yearsMy server is hosting multi domains and I manage every DNS zone. Each domain has a DNS record which is pointing on the same server. Then, I want to configure Postfix and dovecot to use one certificate per domain. Hope it's clear your mind
-
DSX over 5 yearsFirst, I prefer to have one certificate per domain to keep separation between each domains. Second, if you add your mail on Gmail, if you serve a generic certificate for each mail with a different domain, it will be refused because of mismatching CN.