Hi Victor
Thank you for the input my master.cf looks as follows now :
x.x.x.x:smtp inet n - n - - smtpd
-o myhostname=mail.domain.com
-o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key
-o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt
with this setting I still do get only the certificate of the
certificate defined in /etc/main.cf, if I remove the certificatet in
/etc/main.cf I only get
Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs
available. TLS won't be enabled
In logs.
Please advice.
On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni
<postfix-us...@dukhovni.org> wrote:
> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote:
>
>> Hi
>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP
>> and everything is running fine, up till now I had one certificate for
>> all domains in the following fashion in main.cf
>>
>> smtpd_use_tls = yes
>> smtpd_tls_auth_only = yes
>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt
>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key
>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt
>>
>> This is domain.crt is a valid certificate and for this particular
>> domain it does not throw errors, however for all the remaining domains
>> I get hostname mismatch errors.
>>
>> So far so good, I did purchase certificates for the remaining domains
>> and did some research and read through the list and based on what I
>> understood all I need to do is the add the below to master.cf and
>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile
>> from main.cf, and then add the below as said per domain to master.cf
>>
>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com
>> -o smtpd_tls_wrappermode=yes -o
>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o
>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o
>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
>
> See the master.cf documentation, long lines are continued by
> prepending leading whitespace on the continuation lines:
>
> 192.0.2.1:smtp inet n - n - - smtpd
> -o myhostname=mail.example.com
> -o
> smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem
> -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem
>
> - Do make sure all the cert and key files are in PEM format.
> - Do append the PEM certificates of all intermediate CAs to the
> the server certificate file in order from leaf to root:
>
> ----- BEGIN ...
> base64-encoded server cert
> ----- END ...
> ----- BEGIN ...
> base64-encoded intermediate cert that signed previous cert
> ----- END ...
> ----- BEGIN ...
> base64-encoded intermediate cert that signed previous cert
> ----- END ...
> ----- BEGIN ...
> optional base64-encoded root cert, typically leave it out
> ----- END ...
>
> - DO NOT enable wrappermode on a port 25 SMTP server.
> - DO NOT define the CAfile in master.cf, it is the same for all the
> certificates, and is typically not needed at all, but can in any
> case be set in main.cf The CA file if used should contain PEM encoded
> root CA certificates.
>
> So these options should NOT be set:
>
> # -o smtpd_tls_wrappermode=yes
> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt
>
> When you change master.cf, you need to "reload" postfix for the
> changes to take effect.
>
> --
> Viktor.
