On 5/21/2010 9:29 AM, Phil Howard wrote:
I was originally setting up for one hostname to which outgoing email
would be sent. Now it looks like we have some internal users that
cannot reach the firewall (because they are in a no-internet-access
zone). It turns out, for them to get to the mail server, they have to
address it as a different hostname, and that will need a different SSL
certificate with a CN for that hostname, on a different IP address.
Alternatively, I could juggle DNS around somehow so they can use the
same hostname while reaching a different IP address. But I want to
avoid doing that (and also avoid having them connect non-SSL even though
it is internal ... we want all inter-zone traffic to be SSL).
So basically, I'm looking at running two instances of SMTPD, each on a
different IP address, and each with a different SSL certificate (both
being server certificates signed by an internal CA that users will
import into their user agent CA cert collection). I see two
approaches. One is just two daemons specified in master.cf
<http://master.cf>. But I don't see how to give them each a different
certificate.
Add -o smtpd_tls_key_file=... -o smtpd_tls_cert_file=...
lines to your master.cf alternate smtpd listener. For
completeness you can also use -o myhostname=foo.example.com to
match the expected name.
The other is a multi-instance Postfix. But I'm worried
that a multi-instance setup might have problems with using the same set
of domain names, and perhaps even problems with instantiating Dovecot
being used to do the delivery (e.g. virtual transport).
This would work too; use relayhost to tell the alternate
instance to deliver everything to the primary instance for
final delivery.
-- Noel Jones
