On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
> Hi
> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
> and everything is running fine, up till now I had one certificate for
> all domains in the following fashion in main.cf
>
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
>
> This is domain.crt is a valid certificate and for this particular
> domain it does not throw errors, however for all the remaining domains
> I get hostname mismatch errors.
>
> So far so good, I did purchase certificates for the remaining domains
> and did some research and read through the list and based on what I
> understood all I need to do is the add the below to master.cf and
> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
> from main.cf, and then add the below as said per domain to master.cf
>
> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
> -o smtpd_tls_wrappermode=yes -o
> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
See the master.cf documentation, long lines are continued by
prepending leading whitespace on the continuation lines:
192.0.2.1:smtp inet n - n - - smtpd
-o myhostname=mail.example.com
-o smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
-o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
- Do make sure all the cert and key files are in PEM format.
- Do append the PEM certificates of all intermediate CAs to the
the server certificate file in order from leaf to root:
----- BEGIN ...
base64-encoded server cert
----- END ...
----- BEGIN ...
base64-encoded intermediate cert that signed previous cert
----- END ...
----- BEGIN ...
base64-encoded intermediate cert that signed previous cert
----- END ...
----- BEGIN ...
optional base64-encoded root cert, typically leave it out
----- END ...
- DO NOT enable wrappermode on a port 25 SMTP server.
- DO NOT define the CAfile in master.cf, it is the same for all the
certificates, and is typically not needed at all, but can in any
case be set in main.cf The CA file if used should contain PEM encoded
root CA certificates.
So these options should NOT be set:
# -o smtpd_tls_wrappermode=yes
# -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
When you change master.cf, you need to "reload" postfix for the
changes to take effect.
--
Viktor.
