MKB phpBB

Source: https://lxadm.com/Postfix_and_multiple_SSL_certificates

Postfix and multiple SSL certificates
If you ever wanted to use your Postfix with multiple SSL certificates for different domains, here is how.

List of requirements

separate IP for each SSL certificate
different domains you will use for your mail (say, example.com and example2.com)
separate SSL certificate for each domain

The change will involve:

modifying /etc/postfix/main.cf
modifying /etc/postfix/master.cf

Modifying /etc/postfix/main.cf
Comment out smtpd_tls_key_file and smtpd_tls_cert_file directives. smtpd_tls_CAfile can stay, if the certificates you’re using are from the same SSL vendor.

Example:

Код: Выделить всё

#smtpd_tls_key_file = /etc/postfix/keys/mail.example.com.key
#smtpd_tls_cert_file = /etc/postfix/keys/mail.example.com.crt
smtpd_tls_CAfile = /etc/postfix/keys/mail.example.com.bundle

Modifying /etc/postfix/master.cf
Where you previously had Postfix master listening on all interfaces (for smtp/25, smtps/465, submission/587), and thus, using one SSL certificate (the one defined in /etc/postfix/main.cf):

Код: Выделить всё

smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100

smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

You should now modify it to use different IP addresses and different SSL certificates – for example, for mail.example.com and mail.example2.com:

Код: Выделить всё

# your regular SSL certificate will be set up on localhost, external IPv4 and external IPv6 addresses:

# localhost
127.0.0.1:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

127.0.0.1:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

127.0.0.1:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# IPv4
178.63.195.102:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

178.63.195.102:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

178.63.195.102:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# IPv6
[2a01:4f8:120:14c4::1111]:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

[2a01:4f8:120:14c4::1111]:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

[2a01:4f8:120:14c4::1111]:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# different SSL certificate on a different IPv4 address: mail.example2.com
178.63.195.100:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.mcfeedback.com
-o smtpd_banner=mail.mcfeedback.com

178.63.195.100:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.example2.com
-o smtpd_banner=mail.example2.com

178.63.195.100:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.example2.com
-o smtpd_banner=mail.example2.com

That’s it! Restart Postfix, and you should be done.

For information on how to set up Cyrus to use multiple certificates, see this article.