Loading ...
Sorry, an error occurred while loading the content.

Re: Mutliple Certificates - Multiple IP addresses - Again

Expand Messages
  • Ali Jawad
    Sorry that should have been telnet ip 587 not telnet ip 25 as you can not connect to port 25. Regards
    Message 1 of 6 , Nov 20, 2012
    • 0 Attachment
      Sorry that should have been telnet ip 587 not telnet ip 25 as you can
      not connect to port 25.
      Regards

      On Wed, Nov 21, 2012 at 2:13 AM, Ali Jawad <alijawad1@...> wrote:
      > On a seperate but related note, I did notice that even though I
      > connect on differnet IPs using telnet IP 25 I always get the default
      > myhostname, the -o myhostname setting overwrite that value ?
      > Regards
      >
      > On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad <alijawad1@...> wrote:
      >> Hi Victor
      >> Thank you for the input my master.cf looks as follows now :
      >>
      >> x.x.x.x:smtp inet n - n - - smtpd
      >> -o myhostname=mail.domain.com
      >> -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
      >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt
      >>
      >> with this setting I still do get only the certificate of the
      >> certificate defined in /etc/main.cf, if I remove the certificatet in
      >> /etc/main.cf I only get
      >>
      >>
      >> Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs
      >> available. TLS won't be enabled
      >>
      >> In logs.
      >>
      >> Please advice.
      >>
      >> On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni
      >> <postfix-users@...> wrote:
      >>> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
      >>>
      >>>> Hi
      >>>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
      >>>> and everything is running fine, up till now I had one certificate for
      >>>> all domains in the following fashion in main.cf
      >>>>
      >>>> smtpd_use_tls = yes
      >>>> smtpd_tls_auth_only = yes
      >>>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
      >>>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
      >>>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
      >>>>
      >>>> This is domain.crt is a valid certificate and for this particular
      >>>> domain it does not throw errors, however for all the remaining domains
      >>>> I get hostname mismatch errors.
      >>>>
      >>>> So far so good, I did purchase certificates for the remaining domains
      >>>> and did some research and read through the list and based on what I
      >>>> understood all I need to do is the add the below to master.cf and
      >>>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
      >>>> from main.cf, and then add the below as said per domain to master.cf
      >>>>
      >>>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
      >>>> -o smtpd_tls_wrappermode=yes -o
      >>>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
      >>>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
      >>>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
      >>>
      >>> See the master.cf documentation, long lines are continued by
      >>> prepending leading whitespace on the continuation lines:
      >>>
      >>> 192.0.2.1:smtp inet n - n - - smtpd
      >>> -o myhostname=mail.example.com
      >>> -o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
      >>> -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
      >>>
      >>> - Do make sure all the cert and key files are in PEM format.
      >>> - Do append the PEM certificates of all intermediate CAs to the
      >>> the server certificate file in order from leaf to root:
      >>>
      >>> ----- BEGIN ...
      >>> base64-encoded server cert
      >>> ----- END ...
      >>> ----- BEGIN ...
      >>> base64-encoded intermediate cert that signed previous cert
      >>> ----- END ...
      >>> ----- BEGIN ...
      >>> base64-encoded intermediate cert that signed previous cert
      >>> ----- END ...
      >>> ----- BEGIN ...
      >>> optional base64-encoded root cert, typically leave it out
      >>> ----- END ...
      >>>
      >>> - DO NOT enable wrappermode on a port 25 SMTP server.
      >>> - DO NOT define the CAfile in master.cf, it is the same for all the
      >>> certificates, and is typically not needed at all, but can in any
      >>> case be set in main.cf The CA file if used should contain PEM encoded
      >>> root CA certificates.
      >>>
      >>> So these options should NOT be set:
      >>>
      >>> # -o smtpd_tls_wrappermode=yes
      >>> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
      >>>
      >>> When you change master.cf, you need to "reload" postfix for the
      >>> changes to take effect.
      >>>
      >>> --
      >>> Viktor.
    • Viktor Dukhovni
      ... Well, your configuration settings *are* for port 25. So testing port 587 is futile. ... The :smtp part after the IP address is the port name in
      Message 2 of 6 , Nov 21, 2012
      • 0 Attachment
        On Wed, Nov 21, 2012 at 02:14:25AM +0200, Ali Jawad wrote:

        > Sorry that should have been telnet ip 587 not telnet ip 25 as you can
        > not connect to port 25.

        Well, your configuration settings *are* for port 25. So testing
        port 587 is futile.

        > >> x.x.x.x:smtp inet n - n - - smtpd
        > >> -o myhostname=mail.domain.com
        > >> -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
        > >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt

        The ":smtp" part after the IP address is the port name in /etc/services.
        If testing shows that you don't see the master.cf key/cert settings,
        then you're testing a service other than the one you configured.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.