1

Topic: Postfix Multiple SSL Certificates

======== Required information ====
- iRedMail version: 0.8.5
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL
- Linux/BSD distribution name and version:  Debian 7
- Related log if you're reporting an issue:
====

I have 2 domains with separate IPs running on a single server. I have modified /etc/dovecot/dovecot.conf to:

local 192.168.1.100 { # instead of IP you can also use hostname, which will be resolved
  protocol imap {
    ssl_cert = </etc/ssl/certs/example.com.pem
    ssl_key = </etc/ssl/private/example.com.key
  }

  protocol pop3 {
    ssl_cert = </etc/ssl/certs/example.com.pem
    ssl_key = </etc/ssl/private/example.com.key
  }
}

local 192.168.1.101 {
  protocol imap {
    ssl_cert = </etc/ssl/certs/example.org.pem
    ssl_key = </etc/ssl/private/example.org.key
  }

  protocol pop3 {
    ssl_cert = </etc/ssl/certs/example.org.pem
    ssl_key = </etc/ssl/private/example.org.key
  }
}

The configuration for both domains was confirmed to be working, tested with:

openssl s_client -connect mail.example.com:pop3s
openssl s_client -connect mail.example.org:pop3s

How do I configure Posfix with similar settings?

Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Postfix Multiple SSL Certificates

You can try this article: http://blog.wpkg.org/2013/07/31/postfix … tificates/
Or run multiple Postfix instances: http://www.postfix.org/MULTI_INSTANCE_README.html

3 (edited by cygni 2013-11-05 23:23:35)

Re: Postfix Multiple SSL Certificates

Thanks, I have that configured now, but what I'd like is, have each domain, use its own IP for outgoing mail. I searched the forum and  saw similar requests, still could not get it working,:

http://www.iredmail.org/forum/topic4177 … s-etc.html
http://www.iredmail.org/forum/topic3596 … -only.html

master.cf

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
 
#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#  -o content_filter=smtp-amavis:[127.0.0.1]:10026
 
# Use dovecot deliver program as LDA.
dovecot unix    -       n       n       -       -      pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}
 
smtp-amavis unix -  -   -   -   2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20
 
127.0.0.1:10025 inet n  -   -   -   -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_tls_security_level=none
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
 
127.0.0.1:smtp inet n  -   -   -   -  smtpd
    -o smtpd_tls_cert_file=/etc/ssl/certs/example.com.pem
    -o smtpd_tls_key_file=/etc/ssl/private/example.com.key  
    -o smtpd_tls_CAfile=/etc/ssl/certs/example.com.pem
 
127.0.0.1:submission inet n  -   -   -   -  smtpd
    -o smtpd_tls_cert_file=/etc/ssl/certs/example.com.pem
    -o smtpd_tls_key_file=/etc/ssl/private/example.com.key
    -o smtpd_tls_CAfile=/etc/ssl/certs/example.com.pem
 
192.168.1.100:smtp inet n  -   -   -   -  smtpd
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.com.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.com.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.com.pem
 
192.168.1.100:submission inet n  -   -   -   -  smtpd
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.com.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.com.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.com.pem
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
 
192.168.1.101:smtp inet n  -   -   -   -  smtpd
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.org.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.org.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.org.pem
 
192.168.1.101:submission inet n  -   -   -   -  smtpd
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.org.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.org.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.org.pem
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

   examaple_com  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.100

   example_org  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.101

Right now, all outgoing mails use IP/domain  of the first IP.

4

Re: Postfix Multiple SSL Certificates

Then maybe you should try multiple Postfix instances instead:
http://www.postfix.org/MULTI_INSTANCE_README.html

Just curious, why you want to configure SSL certificate for each domain?

5 (edited by cygni 2013-11-06 00:12:02)

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

Then maybe you should try multiple Postfix instances instead:
http://www.postfix.org/MULTI_INSTANCE_README.html

Just curious, why you want to configure SSL certificate for each domain?

While pulling mail from the second domain, the client complained about the SSL certificate, and when checked, noticed it was for incorrect domain. Also, when I examined the header of email sent using the second domain, which has its own IP, it was using hostname/IP of the first domain. This could cause issues with some filters.

I have read the link from your initial response, but it seems multi-instance will require pretty much a full reconfiguration of postfix, which I am not too familiar, and the reason for using iRedMail because of its simplicity. Just don't want to break anything.

6

Re: Postfix Multiple SSL Certificates

cygni wrote:

While pulling mail from the second domain, the client complained about the SSL certificate, and when checked, noticed it was for incorrect domain.

If you use a purchased SSL certificate, mail clients will not complain about the SSL certificate at all. It complains because it's a self-signed certificate.

cygni wrote:

Also, when I examined the header of email sent using the second domain, which has its own IP, it was using hostname/IP of the first domain. This could cause issues with some filters.

I don't think so. You know there're many mail servers host multiple mail domains. For example, Google Apps.

So, i think purchasing a valid SSL certificate is the easiest solution for you.

7 (edited by cygni 2013-11-06 22:37:54)

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:
cygni wrote:

While pulling mail from the second domain, the client complained about the SSL certificate, and when checked, noticed it was for incorrect domain.

If you use a purchased SSL certificate, mail clients will not complain about the SSL certificate at all. It complains because it's a self-signed certificate.

cygni wrote:

Also, when I examined the header of email sent using the second domain, which has its own IP, it was using hostname/IP of the first domain. This could cause issues with some filters.

I don't think so. You know there're many mail servers host multiple mail domains. For example, Google Apps.

So, i think purchasing a valid SSL certificate is the easiest solution for you.

Thanks again,

Both domains have separately purchased SSL certs. But that is not even the issue now, and I am not sure it warrants opening another thread. Outgoing email is only sent using the eth0 IP/domain even when the second domain is used. Here is the full header of message received from the second domain; I have modified file to remove actual domain and IP:

Return-Path: user@example.org
Received: from mip.publicmail.com (LHLO smtp2.publicmail.com) (10.8.8.8) by
 server with LMTP; Wed, 6 Nov 2013 08:05:46 +0000 (UTC)
Received: from smtp2.publicmail.com (localhost [127.0.0.1])
    by smtp2.publicmail.com (Postfix) with SMTP id 6CDDEA01A8
    for <cygni@publicmail.com>; Wed,  6 Nov 2013 08:05:46 +0000 (UTC)
X-Public-Verified-Domain: example.org
X-Public-Real-Recipient: cygni@publicmail.com
Received: from example.com (example.com [192.168.1.100])
    by smtp2.publicmail.com (Postfix) with ESMTP
    for <cygni@publicmail.com>; Wed,  6 Nov 2013 08:05:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTP id ED86E201895
    for <cygni@publicmail.com>; Wed,  6 Nov 2013 03:05:31 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=example.org; h=
    user-agent:message-id:subject:subject:to:from:from:date:date
    :content-transfer-encoding:content-type:content-type
    :mime-version; s=dkim; t=1383725131; x=1386317132; bh=gpdsrm5rdx
    a6EJxryTkxQsWOCgxJ2EMbYsNrKegM1c8=; b=LB65uimQ2seDZF3jLrCQfAMJVX
    trlFYipfJVasGQwzJ2P5QyBW9/hkwmz6UZysD1IDRqvTOp2UzNac5hKsTdsSe/S6
    2lzWAUhJR8tqWiWo/aZLkCuseQ0SBk+Ma058QVoJU9jdny1a0E4uhgZsWxnVho2Q
    mqQ01cEV5+LGa7gm461Uj1Au+fDjZSDP0D1Ig9B/fH+5jgQX6Q2FdXxQo3UdjFD2
    OVonFxY95tTKapTl34yQ7tyTjzHD87FdrPkFA3qOzCBQM2InHE0YxUwjQQtRYU6r
    P4ubRLuJ/sX3CTn3X2dtjlKmmNYMOwDKMeNGsgUf+LAmHcUum88Tp9euUCjA==
X-Virus-Scanned: Debian amavisd-new at example.example.com
Received: from example.com ([127.0.0.1])
    by localhost (example.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 3wnPUN2oaSCG for <cygni@publicmail.com>;
    Wed,  6 Nov 2013 03:05:31 -0500 (EST)
Received: from example.org (localhost [127.0.0.1])
    by example.com (Postfix) with ESMTPA id 8DEE6201892
    for <cygni@publicmail.com>; Wed,  6 Nov 2013 03:05:30 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 06 Nov 2013 03:05:30 -0500
From: user@example.org
To: cygni@publicmail.com
Subject: test 9
Message-ID: <0b1500b3fb2d6ecec15ff33092849931@example.org>
X-Sender: user@example.org
User-Agent: RoundCube WebMail

test 9

Note that it is sending with example.com instead of example.org, and the IP is 192.168.1.100 instead of 192.168.1.101. This was the same request here, and the only difference is, database.

8

Re: Postfix Multiple SSL Certificates

cygni wrote:

Note that it is sending with example.com instead of example.org, and the IP is 192.168.1.100 instead of 192.168.1.101. This was the same request here, and the only difference is, database.

What do you mean "database"? What's the difference between your request and the forum post you pasted (http://www.iredmail.org/forum/post16703.html#p16703)?

9

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:
cygni wrote:

Note that it is sending with example.com instead of example.org, and the IP is 192.168.1.100 instead of 192.168.1.101. This was the same request here, and the only difference is, database.

What do you mean "database"? What's the difference between your request and the forum post you pasted (http://www.iredmail.org/forum/post16703.html#p16703)?

That thread describes what I am trying to do, and the difference is, [he] is using MySQL, and I, Postgres.

10

Re: Postfix Multiple SSL Certificates

No difference between MySQL and PostgreSQL in your case.

11 (edited by cygni 2013-11-22 00:53:56)

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

No difference between MySQL and PostgreSQL in your case.

With the following added to master.cf:

   example_com  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.100

   example_org  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.101

I su to postgres, then ran 'psql -d vmail'  and:

UPDATE domain SET transport='example_com:' WHERE domain='example.com';
UPDATE domain SET transport='example_org:' WHERE domain='example.org';

I get the following warning and not receiving mail:

postfix/qmgr[14954]: warning: connect to transport private/example_com: No such file or directory
postfix/qmgr[14954]: warning: connect to transport private/example_org: No such file or directory

In addition, mail sent with the second domain still shows domain and IP of the first. Any suggestion would be greatly appreciated, thanks.

12

Re: Postfix Multiple SSL Certificates

Does it work without ':' in transport?

13

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

Does it work without ':' in transport?

That didn't work, but changing it back to dovecot, and now I can receive mail again. Still haven't gotten the second domain working like it should, by not showing the first domain name and IP on sent mails.

14

Re: Postfix Multiple SSL Certificates

Did you restart Postfix service after modifying /etc/postfix/master.cf?

15

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

Did you restart Postfix service after modifying /etc/postfix/master.cf?

I restarted postifix, dovecot, and amavis, including rebooting the server.

16

Re: Postfix Multiple SSL Certificates

Could you please show me full content of /etc/postfix/master.cf? And SQL record of this domain in table "vmail.domain".

17 (edited by cygni 2013-11-27 02:46:26)

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

Could you please show me full content of /etc/postfix/master.cf? And SQL record of this domain in table "vmail.domain".

main.cf

 
# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
#smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
#smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA_Postfix.pem
#smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = cygni.example.com
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = cygni.example.com
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
relayhost = 
mynetworks = 127.0.0.0/8
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_domains = 
allow_percent_hack = no
swap_bangpath = no
mydomain = example.com
mynetworks_style = host
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated
delay_warning_time = 0h
maximal_queue_lifetime = 4h
bounce_queue_lifetime = 4h
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
enable_original_recipient = no
disable_vrfy_command = yes
home_mailbox = Maildir/
allow_min_user = no
message_size_limit = 15728640
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
transport_maps = proxy:pgsql:/etc/postfix/pgsql/transport_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/transport_maps_domain.cf
virtual_mailbox_domains = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_alias_maps = proxy:pgsql:/etc/postfix/pgsql/virtual_alias_maps.cf, proxy:pgsql:/etc/postfix/pgsql/domain_alias_maps.cf, proxy:pgsql:/etc/postfix/pgsql/catchall_maps.cf, proxy:pgsql:/etc/postfix/pgsql/domain_alias_catchall_maps.cf
sender_bcc_maps = proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/sender_bcc_maps_domain.cf
recipient_bcc_maps = proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_user.cf, proxy:pgsql:/etc/postfix/pgsql/recipient_bcc_maps_domain.cf
relay_domains = $mydestination, proxy:pgsql:/etc/postfix/pgsql/relay_domains.cf
smtpd_sender_login_maps = proxy:pgsql:/etc/postfix/pgsql/sender_login_maps.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = no
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_tls_security_level = may
smtpd_tls_loglevel = 0
#smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
#smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA_Postfix.pem
tls_random_source = dev:/dev/urandom
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = ./dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1

master.cf

 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
#smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

#submission inet n       -       n       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#  -o content_filter=smtp-amavis:[127.0.0.1]:10026

# Use dovecot deliver program as LDA.
dovecot unix    -       n       n       -       -      pipe
    flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${domain} -m ${extension}

smtp-amavis unix -  -   -   -   2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -   -   -   -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_tls_security_level=none
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_end_of_data_restrictions=
    -o mynetworks_style=host
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

## added
127.0.0.1:smtp inet n  -  n   -   -  smtpd
    -o content_filter=smtp-amavis:[127.0.0.1]:10024
    -o smtpd_tls_cert_file=/etc/ssl/certs/iRedMail_CA_Postfix.pem
    -o smtpd_tls_key_file=/etc/ssl/private/iRedMail.key   
    -o smtpd_tls_CAfile=/etc/ssl/certs/iRedMail_CA_Postfix.pem

127.0.0.1:submission inet n  -  n   -   -  smtpd
    -o content_filter=smtp-amavis:[127.0.0.1]:10024
    -o smtpd_tls_cert_file=/etc/ssl/certs/iRedMail_CA_Postfix.pem
    -o smtpd_tls_key_file=/etc/ssl/private/iRedMail.key
    -o smtpd_tls_CAfile=/etc/ssl/certs/iRedMail_CA_Postfix.pem

# IPv4
192.168.1.100:smtp inet n  -   n   -   -  smtpd
  -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_cert_file=/etc/ssl/certs/iRedMail_CA_Dovecot.pem
  -o smtpd_tls_key_file=/etc/ssl/private/iRedMail.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/iRedMail_CA_Dovecot.pem

192.168.1.100:submission inet n  -   n   -   -  smtpd
  -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_cert_file=/etc/ssl/certs/iRedMail_CA_Dovecot.pem
  -o smtpd_tls_key_file=/etc/ssl/private/iRedMail.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/iRedMail_CA_Dovecot.pem
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

192.168.1.101:smtp inet n  -   n   -   -  smtpd
  -o mydomain=example.org
#  -o myhostname=example.org
  -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.org_dovecot.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.org.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.org_dovecot.pem
#  -o smtp_bind_address=192.168.1.101

192.168.1.101:submission inet n  -  n   -   -  smtpd
  -o mydomain=example.org
#  -o myhostname=example.org  
  -o content_filter=smtp-amavis:[127.0.0.1]:10024
  -o smtpd_tls_cert_file=/etc/ssl/certs/example.org_dovecot.pem
  -o smtpd_tls_key_file=/etc/ssl/private/example.org.key
  -o smtpd_tls_CAfile=/etc/ssl/certs/example.org_dovecot.pem
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtp_bind_address=192.168.1.101
#  -o smtp_helo_name=example.org


example_com  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.100
#   -o smtp_helo_name=example.com
 
example_org  unix -  -  -  -  -  smtp
   -o smtp_bind_address=192.168.1.101
#   -o smtp_helo_name=example.org

vmail.domain record

 
"domain","description","disclaimer","aliases","mailboxes","maxquota","quota","transport","backupmx","defaultlanguage","defaultuserquota","defaultuseraliases","disableddomainprofiles","disableduserprofiles","defaultpasswordscheme","minpasswordlength","maxpasswordlength","created","modified","expired","active"
"example.com","","","0","0","0","0","dovecot","0","en_US","1024","","","","","0","0","2013-09-29 15:43:55.506361","1970-01-01 00:00:00","9999-12-31 00:00:00","1"
"example.org","","","0","0","0","0","dovecot","0","en_US","1024","","","","","0","0","2013-09-29 19:58:28","1970-01-01 00:00:00","9999-12-31 00:00:00","1"

18

Re: Postfix Multiple SSL Certificates

I saw you have '192.168.1.100:smtp' in master.cf, does it work if you set transport to 'smtp:[192.168.1.100]:25'? And you should add '-o smtp_bind_address=192.168.1.100' for '192.168.1.100:smtp' first in master.cf.

19

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:

I saw you have '192.168.1.100:smtp' in master.cf, does it work if you set transport to 'smtp:[192.168.1.100]:25'? And you should add '-o smtp_bind_address=192.168.1.100' for '192.168.1.100:smtp' first in master.cf.

Unfortunately, it does not help. Maybe it's time to look into multiple postfix instances, which is somewhat confusing especially with the combination of Amavis.

20 (edited by prrpp 2019-12-01 00:58:25)

Re: Postfix Multiple SSL Certificates

Ok old thread but maybe you did find a solution? I'm running into same issue. I want to use different domains with different certificates.
For first domain all works fine, but when i want to access mail accounts from second domain through thunderbird i get cert issues because cert of first domain will be served imap.seconddomain.com:143.

imap/pop issue is solved by changing dovecot config like:
local_name imap.seconddomain.com {
    ssl_cert = </etc/letsencrypt/live/seconddomain.com/fullchain.pem
    ssl_key = </etc/letsencrypt/live/seconddomain.com/privkey.pem
}

But issue with sending mails through smtp still exists.
Is there a way to simply map different certs to different domains? do i need virtual accounts for postfix or is it simply possible to use different mail-server with DNS entry?
i'm really confused at the moment.
Thanks in advance

21

Re: Postfix Multiple SSL Certificates

prrpp wrote:

But issue with sending mails through smtp still exists.
Is there a way to simply map different certs to different domains? do i need virtual accounts for postfix or is it simply possible to use different mail-server with DNS entry?

Postfix doesn't support loading multiple certs.

Another solution is, using one cert for all your domains. Let's Encrypt supports this.

22

Re: Postfix Multiple SSL Certificates

ZhangHuangbin wrote:
prrpp wrote:

But issue with sending mails through smtp still exists.
Is there a way to simply map different certs to different domains? do i need virtual accounts for postfix or is it simply possible to use different mail-server with DNS entry?

Postfix doesn't support loading multiple certs.

Another solution is, using one cert for all your domains. Let's Encrypt supports this.

thanks a lot that works for me, i switched to an cert for multiple domains for smtp pop imap and mail sub domains created like:

certbot certonly --standalone --rsa-key-size 4096 \
-d mail.domain1.com -d imap.domain1.com -d pop.domain1.com -d smtp.domain1.com \
 -d mail.domain2.com -d imap.domain2.com -d pop.domain2.com -d smtp.domain2.com

with that certificate there is no hassle with thunderbird and receiving/sending emails. Thanks a lot again!