Facebook
TwitterHans Huckebein
New Pleskian
I'm running Debian 7.5 (wheezy) and have 2 domains connected.
I managed to get postfix/courier to work with dedicated ssl certificate for one domain but not for both.
What I did as far as Courier is concerned
Replace the pop3d.pem/imapd.pem (both having the private key/certificate/ca certificate/bundle certificate) all from Thawte with the corresponding pop3d/imapd files but adding the ip addresses in the form
pop3d.pem.x.x.x.x /imapd.pem.x.x.x.x respectively.
The files are located in /usr/share
Postfix
added under /etc/postfix a new directory named keys and copied
the domain1.private.key domain1.cert.pem domain2.private.key domain2.cert.pem files into that directory
For postfix main.cf
- commented out
# smtpd_tls_cert_file = /etc/postfix/domain1.pem
# smtpd_tls_key_file = $smtpd_tls_cert_file
For postfix master.cf
- added/modified
smtp inet n - - - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
#
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
smtps inet n - - - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# localhost
127.0.0.1:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
127.0.0.1:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
127.0.0.1:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
# www.domain1.de with ip xx.xx.xx.xx
xx.xx.xx.xx:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
xx.xx.xx.xx:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
xx.xx.xx.xx:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
# domain2 with ip yy.yy.yy.yy
yy.yy.yy.yy:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
#
yy.yy.yy.yy:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
#
yy.yy.yy.yy:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
After restarting the services I got an error for the line
-o smtpd_proxy_filter=127.0.0.1:10024
As I am not an expert at all (got the config from http://blog.wpkg.org/2013/07/31/postfix-and-multiple-ssl-certificates/) I don't know where to look for the problem.
I managed to get postfix/courier to work with dedicated ssl certificate for one domain but not for both.
What I did as far as Courier is concerned
Replace the pop3d.pem/imapd.pem (both having the private key/certificate/ca certificate/bundle certificate) all from Thawte with the corresponding pop3d/imapd files but adding the ip addresses in the form
pop3d.pem.x.x.x.x /imapd.pem.x.x.x.x respectively.
The files are located in /usr/share
Postfix
added under /etc/postfix a new directory named keys and copied
the domain1.private.key domain1.cert.pem domain2.private.key domain2.cert.pem files into that directory
For postfix main.cf
- commented out
# smtpd_tls_cert_file = /etc/postfix/domain1.pem
# smtpd_tls_key_file = $smtpd_tls_cert_file
For postfix master.cf
- added/modified
smtp inet n - - - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
#
submission inet n - - - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
#
smtps inet n - - - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# localhost
127.0.0.1:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
127.0.0.1:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
127.0.0.1:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt
#
# www.domain1.de with ip xx.xx.xx.xx
xx.xx.xx.xx:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
xx.xx.xx.xx:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
xx.xx.xx.xx:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain1.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain1.cert.pem
#
# domain2 with ip yy.yy.yy.yy
yy.yy.yy.yy:smtp inet n - y - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
#
yy.yy.yy.yy:smtps inet n - y - - smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
#
yy.yy.yy.yy:submission inet n - y - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/domain2.de.key
-o smtpd_tls_cert_file=/etc/postfix/keys/domain2.cert.pem
After restarting the services I got an error for the line
-o smtpd_proxy_filter=127.0.0.1:10024
As I am not an expert at all (got the config from http://blog.wpkg.org/2013/07/31/postfix-and-multiple-ssl-certificates/) I don't know where to look for the problem.