Sorry that should have been telnet ip 587 not telnet ip 25 as you can not connect to port 25. Regards
On Wed, Nov 21, 2012 at 2:13 AM, Ali Jawad <alijaw...@gmail.com> wrote: > On a seperate but related note, I did notice that even though I > connect on differnet IPs using telnet IP 25 I always get the default > myhostname, the -o myhostname setting overwrite that value ? > Regards > > On Wed, Nov 21, 2012 at 1:43 AM, Ali Jawad <alijaw...@gmail.com> wrote: >> Hi Victor >> Thank you for the input my master.cf looks as follows now : >> >> x.x.x.x:smtp inet n - n - - smtpd >> -o myhostname=mail.domain.com >> -o smtpd_tls_key_file=/etc/postfix/domainssl/mail.domain.com.key >> -o smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain.com.crt >> >> with this setting I still do get only the certificate of the >> certificate defined in /etc/main.cf, if I remove the certificatet in >> /etc/main.cf I only get >> >> >> Nov 21 00:41:42 root379 postfix/smtpd[18650]: warning: No server certs >> available. TLS won't be enabled >> >> In logs. >> >> Please advice. >> >> On Wed, Nov 21, 2012 at 1:24 AM, Viktor Dukhovni >> <postfix-us...@dukhovni.org> wrote: >>> On Wed, Nov 21, 2012 at 01:03:28AM +0200, Ali Jawad wrote: >>> >>>> Hi >>>> I have a postfix with 7 domains and 7 IPs, each domain has it's own IP >>>> and everything is running fine, up till now I had one certificate for >>>> all domains in the following fashion in main.cf >>>> >>>> smtpd_use_tls = yes >>>> smtpd_tls_auth_only = yes >>>> smtpd_tls_cert_file = /etc/postfix/domainssl/domain.crt >>>> smtpd_tls_key_file = /etc/postfix/domainssl/domain.key >>>> smtpd_tls_CAfile = /etc/postfix/domainssl/comodo_CA.txt >>>> >>>> This is domain.crt is a valid certificate and for this particular >>>> domain it does not throw errors, however for all the remaining domains >>>> I get hostname mismatch errors. >>>> >>>> So far so good, I did purchase certificates for the remaining domains >>>> and did some research and read through the list and based on what I >>>> understood all I need to do is the add the below to master.cf and >>>> remove smtpd_tls_cert_file and smtpd_tls_key_file and smtpd_tls_CAfile >>>> from main.cf, and then add the below as said per domain to master.cf >>>> >>>> ip.ip.ip.ip:smtp inet n - n - - smtpd -o myhostname=mail.domain2.com >>>> -o smtpd_tls_wrappermode=yes -o >>>> smtpd_tls_key_file=/etc/postfix/domainssl/mail.domian2.com.key -o >>>> smtpd_tls_cert_file=/etc/postfix/domainssl/mail.domain2.com.crt -o >>>> smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt >>> >>> See the master.cf documentation, long lines are continued by >>> prepending leading whitespace on the continuation lines: >>> >>> 192.0.2.1:smtp inet n - n - - smtpd >>> -o myhostname=mail.example.com >>> -o >>> smtpd_tls_cert_file=/etc/postfix/domainssl/cert-mail.example.com.pem >>> -o >>> smtpd_tls_key_file=/etc/postfix/domainssl/key-mail.example.com.pem >>> >>> - Do make sure all the cert and key files are in PEM format. >>> - Do append the PEM certificates of all intermediate CAs to the >>> the server certificate file in order from leaf to root: >>> >>> ----- BEGIN ... >>> base64-encoded server cert >>> ----- END ... >>> ----- BEGIN ... >>> base64-encoded intermediate cert that signed previous cert >>> ----- END ... >>> ----- BEGIN ... >>> base64-encoded intermediate cert that signed previous cert >>> ----- END ... >>> ----- BEGIN ... >>> optional base64-encoded root cert, typically leave it out >>> ----- END ... >>> >>> - DO NOT enable wrappermode on a port 25 SMTP server. >>> - DO NOT define the CAfile in master.cf, it is the same for all the >>> certificates, and is typically not needed at all, but can in any >>> case be set in main.cf The CA file if used should contain PEM encoded >>> root CA certificates. >>> >>> So these options should NOT be set: >>> >>> # -o smtpd_tls_wrappermode=yes >>> # -o smtpd_tls_CAfile=/etc/postfix/domainssl/comodo_CA.txt >>> >>> When you change master.cf, you need to "reload" postfix for the >>> changes to take effect. >>> >>> -- >>> Viktor.
