Loading ...
Sorry, an error occurred while loading the content.
 

Mutliple Certificates - Multiple IP addresses - Again

Expand Messages
  • Ali Jawad
    Hi I have a postfix with 7 domains and 7 IPs, each domain has it s own IP and everything is running fine, up till now I had one certificate for all domains in
    Message 1 of 6 , Nov 20, 2012
      Hi
      I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
      and everything is running fine, up till now I had one certificate for
      all domains in the following fashion in main.cf

      smtpd_use_tls = yes
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
      smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
      smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt

      This is domain.crt is a valid certificate and for this particular
      domain it does not throw errors, however for all the remaining domains
      I get hostname mismatch errors.

      So far so good, I did purchase certificates for the remaining domains
      and did some research and read through the list and based on what I
      understood all I need to do is the add the below to master.cf and
      remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
      from main.cf, and then add the below as said per domain to master.cf

      ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
      -o smtpd_tls_wrappermode=yes -o
      smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
      smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
      smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt

      I did this for all certificates, problem is that if I remove the
      certificate entries from main.cf I get an error that certificates can
      not be found and therefore STARTTLS is disabled, if I do however add
      the certificates to main.cf only that particular certificate shows for
      all domains, I am using Outlook at port 587 with TLS and I tried Auto
      instead of TLS as well.

      Please advice.

      Regards
    • Viktor Dukhovni
      ... See the master.cf documentation, long lines are continued by prepending leading whitespace on the continuation lines: 192.0.2.1:smtp inet n - n - - smtpd
      Message 2 of 6 , Nov 20, 2012
        On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:

        > Hi
        > I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
        > and everything is running fine, up till now I had one certificate for
        > all domains in the following fashion in main.cf
        >
        > smtpd_use_tls = yes
        > smtpd_tls_auth_only = yes
        > smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
        > smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
        > smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
        >
        > This is domain.crt is a valid certificate and for this particular
        > domain it does not throw errors, however for all the remaining domains
        > I get hostname mismatch errors.
        >
        > So far so good, I did purchase certificates for the remaining domains
        > and did some research and read through the list and based on what I
        > understood all I need to do is the add the below to master.cf and
        > remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
        > from main.cf, and then add the below as said per domain to master.cf
        >
        > ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
        > -o smtpd_tls_wrappermode=yes -o
        > smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
        > smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
        > smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt

        See the master.cf documentation, long lines are continued by
        prepending leading whitespace on the continuation lines:

        192.0.2.1:smtp inet n - n - - smtpd
        -o myhostname=mail.example.com
        -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
        -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem

        - Do make sure all the cert and key files are in PEM format.
        - Do append the PEM certificates of all intermediate CAs to the
        the server certificate file in order from leaf to root:

        ----- BEGIN ...
        base64-encoded server cert
        ----- END ...
        ----- BEGIN ...
        base64-encoded intermediate cert that signed previous cert
        ----- END ...
        ----- BEGIN ...
        base64-encoded intermediate cert that signed previous cert
        ----- END ...
        ----- BEGIN ...
        optional base64-encoded root cert, typically leave it out
        ----- END ...

        - DO NOT enable wrappermode on a port 25 SMTP server.
        - DO NOT define the CAfile in master.cf, it is the same for all the
        certificates, and is typically not needed at all, but can in any
        case be set in main.cf The CA file if used should contain PEM encoded
        root CA certificates.

        So these options should NOT be set:

        # -o smtpd_tls_wrappermode=yes
        # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt

        When you change master.cf, you need to "reload" postfix for the
        changes to take effect.

        --
        Viktor.
      • Ali Jawad
        Hi Victor Thank you for the input my master.cf looks as follows now : x.x.x.x:smtp inet n - n - - smtpd -o myhostname=mail.domain.com -o
        Message 3 of 6 , Nov 20, 2012
          Hi Victor
          Thank you for the input my master.cf looks as follows now :

          x.x.x.x:smtp inet n - n - - smtpd
          -o myhostname=mail.domain.com
          -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
          -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt

          with this setting I still do get only the certificate of the
          certificate defined in /etc/main.cf, if I remove the certificatet in
          /etc/main.cf I only get


          Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs
          available. TLS won't be enabled

          In logs.

          Please advice.

          On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni
          <postfix-users@...> wrote:
          > On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
          >
          >> Hi
          >> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
          >> and everything is running fine, up till now I had one certificate for
          >> all domains in the following fashion in main.cf
          >>
          >> smtpd_use_tls = yes
          >> smtpd_tls_auth_only = yes
          >> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
          >> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
          >> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
          >>
          >> This is domain.crt is a valid certificate and for this particular
          >> domain it does not throw errors, however for all the remaining domains
          >> I get hostname mismatch errors.
          >>
          >> So far so good, I did purchase certificates for the remaining domains
          >> and did some research and read through the list and based on what I
          >> understood all I need to do is the add the below to master.cf and
          >> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
          >> from main.cf, and then add the below as said per domain to master.cf
          >>
          >> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
          >> -o smtpd_tls_wrappermode=yes -o
          >> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
          >> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
          >> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
          >
          > See the master.cf documentation, long lines are continued by
          > prepending leading whitespace on the continuation lines:
          >
          > 192.0.2.1:smtp inet n - n - - smtpd
          > -o myhostname=mail.example.com
          > -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
          > -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
          >
          > - Do make sure all the cert and key files are in PEM format.
          > - Do append the PEM certificates of all intermediate CAs to the
          > the server certificate file in order from leaf to root:
          >
          > ----- BEGIN ...
          > base64-encoded server cert
          > ----- END ...
          > ----- BEGIN ...
          > base64-encoded intermediate cert that signed previous cert
          > ----- END ...
          > ----- BEGIN ...
          > base64-encoded intermediate cert that signed previous cert
          > ----- END ...
          > ----- BEGIN ...
          > optional base64-encoded root cert, typically leave it out
          > ----- END ...
          >
          > - DO NOT enable wrappermode on a port 25 SMTP server.
          > - DO NOT define the CAfile in master.cf, it is the same for all the
          > certificates, and is typically not needed at all, but can in any
          > case be set in main.cf The CA file if used should contain PEM encoded
          > root CA certificates.
          >
          > So these options should NOT be set:
          >
          > # -o smtpd_tls_wrappermode=yes
          > # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
          >
          > When you change master.cf, you need to "reload" postfix for the
          > changes to take effect.
          >
          > --
          > Viktor.
        • Ali Jawad
          On a seperate but related note, I did notice that even though I connect on differnet IPs using telnet IP 25 I always get the default myhostname, the -o
          Message 4 of 6 , Nov 20, 2012
            On a seperate but related note, I did notice that even though I
            connect on differnet IPs using telnet IP 25 I always get the default
            myhostname, the -o myhostname setting overwrite that value ?
            Regards

            On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad <alijawad1@...> wrote:
            > Hi Victor
            > Thank you for the input my master.cf looks as follows now :
            >
            > x.x.x.x:smtp inet n - n - - smtpd
            > -o myhostname=mail.domain.com
            > -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
            > -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt
            >
            > with this setting I still do get only the certificate of the
            > certificate defined in /etc/main.cf, if I remove the certificatet in
            > /etc/main.cf I only get
            >
            >
            > Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs
            > available. TLS won't be enabled
            >
            > In logs.
            >
            > Please advice.
            >
            > On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni
            > <postfix-users@...> wrote:
            >> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
            >>
            >>> Hi
            >>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
            >>> and everything is running fine, up till now I had one certificate for
            >>> all domains in the following fashion in main.cf
            >>>
            >>> smtpd_use_tls = yes
            >>> smtpd_tls_auth_only = yes
            >>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
            >>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
            >>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
            >>>
            >>> This is domain.crt is a valid certificate and for this particular
            >>> domain it does not throw errors, however for all the remaining domains
            >>> I get hostname mismatch errors.
            >>>
            >>> So far so good, I did purchase certificates for the remaining domains
            >>> and did some research and read through the list and based on what I
            >>> understood all I need to do is the add the below to master.cf and
            >>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
            >>> from main.cf, and then add the below as said per domain to master.cf
            >>>
            >>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
            >>> -o smtpd_tls_wrappermode=yes -o
            >>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
            >>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
            >>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
            >>
            >> See the master.cf documentation, long lines are continued by
            >> prepending leading whitespace on the continuation lines:
            >>
            >> 192.0.2.1:smtp inet n - n - - smtpd
            >> -o myhostname=mail.example.com
            >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
            >> -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
            >>
            >> - Do make sure all the cert and key files are in PEM format.
            >> - Do append the PEM certificates of all intermediate CAs to the
            >> the server certificate file in order from leaf to root:
            >>
            >> ----- BEGIN ...
            >> base64-encoded server cert
            >> ----- END ...
            >> ----- BEGIN ...
            >> base64-encoded intermediate cert that signed previous cert
            >> ----- END ...
            >> ----- BEGIN ...
            >> base64-encoded intermediate cert that signed previous cert
            >> ----- END ...
            >> ----- BEGIN ...
            >> optional base64-encoded root cert, typically leave it out
            >> ----- END ...
            >>
            >> - DO NOT enable wrappermode on a port 25 SMTP server.
            >> - DO NOT define the CAfile in master.cf, it is the same for all the
            >> certificates, and is typically not needed at all, but can in any
            >> case be set in main.cf The CA file if used should contain PEM encoded
            >> root CA certificates.
            >>
            >> So these options should NOT be set:
            >>
            >> # -o smtpd_tls_wrappermode=yes
            >> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
            >>
            >> When you change master.cf, you need to "reload" postfix for the
            >> changes to take effect.
            >>
            >> --
            >> Viktor.
          • Ali Jawad
            Sorry that should have been telnet ip 587 not telnet ip 25 as you can not connect to port 25. Regards
            Message 5 of 6 , Nov 20, 2012
              Sorry that should have been telnet ip 587 not telnet ip 25 as you can
              not connect to port 25.
              Regards

              On Wed, Nov 21, 2012 at 2:13 AM, Ali Jawad <alijawad1@...> wrote:
              > On a seperate but related note, I did notice that even though I
              > connect on differnet IPs using telnet IP 25 I always get the default
              > myhostname, the -o myhostname setting overwrite that value ?
              > Regards
              >
              > On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad <alijawad1@...> wrote:
              >> Hi Victor
              >> Thank you for the input my master.cf looks as follows now :
              >>
              >> x.x.x.x:smtp inet n - n - - smtpd
              >> -o myhostname=mail.domain.com
              >> -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
              >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt
              >>
              >> with this setting I still do get only the certificate of the
              >> certificate defined in /etc/main.cf, if I remove the certificatet in
              >> /etc/main.cf I only get
              >>
              >>
              >> Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs
              >> available. TLS won't be enabled
              >>
              >> In logs.
              >>
              >> Please advice.
              >>
              >> On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni
              >> <postfix-users@...> wrote:
              >>> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
              >>>
              >>>> Hi
              >>>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
              >>>> and everything is running fine, up till now I had one certificate for
              >>>> all domains in the following fashion in main.cf
              >>>>
              >>>> smtpd_use_tls = yes
              >>>> smtpd_tls_auth_only = yes
              >>>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
              >>>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
              >>>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
              >>>>
              >>>> This is domain.crt is a valid certificate and for this particular
              >>>> domain it does not throw errors, however for all the remaining domains
              >>>> I get hostname mismatch errors.
              >>>>
              >>>> So far so good, I did purchase certificates for the remaining domains
              >>>> and did some research and read through the list and based on what I
              >>>> understood all I need to do is the add the below to master.cf and
              >>>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
              >>>> from main.cf, and then add the below as said per domain to master.cf
              >>>>
              >>>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
              >>>> -o smtpd_tls_wrappermode=yes -o
              >>>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
              >>>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
              >>>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
              >>>
              >>> See the master.cf documentation, long lines are continued by
              >>> prepending leading whitespace on the continuation lines:
              >>>
              >>> 192.0.2.1:smtp inet n - n - - smtpd
              >>> -o myhostname=mail.example.com
              >>> -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
              >>> -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
              >>>
              >>> - Do make sure all the cert and key files are in PEM format.
              >>> - Do append the PEM certificates of all intermediate CAs to the
              >>> the server certificate file in order from leaf to root:
              >>>
              >>> ----- BEGIN ...
              >>> base64-encoded server cert
              >>> ----- END ...
              >>> ----- BEGIN ...
              >>> base64-encoded intermediate cert that signed previous cert
              >>> ----- END ...
              >>> ----- BEGIN ...
              >>> base64-encoded intermediate cert that signed previous cert
              >>> ----- END ...
              >>> ----- BEGIN ...
              >>> optional base64-encoded root cert, typically leave it out
              >>> ----- END ...
              >>>
              >>> - DO NOT enable wrappermode on a port 25 SMTP server.
              >>> - DO NOT define the CAfile in master.cf, it is the same for all the
              >>> certificates, and is typically not needed at all, but can in any
              >>> case be set in main.cf The CA file if used should contain PEM encoded
              >>> root CA certificates.
              >>>
              >>> So these options should NOT be set:
              >>>
              >>> # -o smtpd_tls_wrappermode=yes
              >>> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
              >>>
              >>> When you change master.cf, you need to "reload" postfix for the
              >>> changes to take effect.
              >>>
              >>> --
              >>> Viktor.
            • Viktor Dukhovni
              ... Well, your configuration settings *are* for port 25. So testing port 587 is futile. ... The :smtp part after the IP address is the port name in
              Message 6 of 6 , Nov 21, 2012
                On Wed, Nov 21, 2012 at 02:14:25AM +0200, Ali Jawad wrote:

                > Sorry that should have been telnet ip 587 not telnet ip 25 as you can
                > not connect to port 25.

                Well, your configuration settings *are* for port 25. So testing
                port 587 is futile.

                > >> x.x.x.x:smtp inet n - n - - smtpd
                > >> -o myhostname=mail.domain.com
                > >> -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
                > >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt

                The ":smtp" part after the IP address is the port name in /etc/services.
                If testing shows that you don't see the master.cf key/cert settings,
                then you're testing a service other than the one you configured.

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.