On a seperate but related note, I did notice that even though I connect on differnet IPs using telnet IP 25 I always get the default myhostname, the -o myhostname setting overwrite that value ? Regards
On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad <alijaw...@gmail.com> wrote: > Hi Victor > Thank you for the input my master.cf looks as follows now : > > x.x.x.x:smtp inet n - n - - smtpd > -o myhostname=mail.domain.com > -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key > -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt > > with this setting I still do get only the certificate of the > certificate defined in /etc/main.cf, if I remove the certificatet in > /etc/main.cf I only get > > > Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs > available. TLS won't be enabled > > In logs. > > Please advice. > > On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni > <postfix-us...@dukhovni.org> wrote: >> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: >> >>> Hi >>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP >>> and everything is running fine, up till now I had one certificate for >>> all domains in the following fashion in main.cf >>> >>> smtpd_use_tls = yes >>> smtpd_tls_auth_only = yes >>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt >>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key >>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt >>> >>> This is domain.crt is a valid certificate and for this particular >>> domain it does not throw errors, however for all the remaining domains >>> I get hostname mismatch errors. >>> >>> So far so good, I did purchase certificates for the remaining domains >>> and did some research and read through the list and based on what I >>> understood all I need to do is the add the below to master.cf and >>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile >>> from main.cf, and then add the below as said per domain to master.cf >>> >>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com >>> -o smtpd_tls_wrappermode=yes -o >>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o >>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o >>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt >> >> See the master.cf documentation, long lines are continued by >> prepending leading whitespace on the continuation lines: >> >> 192.0.2.1:smtp inet n - n - - smtpd >> -o myhostname=mail.example.com >> -o >> smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem >> -o smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem >> >> - Do make sure all the cert and key files are in PEM format. >> - Do append the PEM certificates of all intermediate CAs to the >> the server certificate file in order from leaf to root: >> >> ----- BEGIN ... >> base64-encoded server cert >> ----- END ... >> ----- BEGIN ... >> base64-encoded intermediate cert that signed previous cert >> ----- END ... >> ----- BEGIN ... >> base64-encoded intermediate cert that signed previous cert >> ----- END ... >> ----- BEGIN ... >> optional base64-encoded root cert, typically leave it out >> ----- END ... >> >> - DO NOT enable wrappermode on a port 25 SMTP server. >> - DO NOT define the CAfile in master.cf, it is the same for all the >> certificates, and is typically not needed at all, but can in any >> case be set in main.cf The CA file if used should contain PEM encoded >> root CA certificates. >> >> So these options should NOT be set: >> >> # -o smtpd_tls_wrappermode=yes >> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt >> >> When you change master.cf, you need to "reload" postfix for the >> changes to take effect. >> >> -- >> Viktor.
