On Mon, Mar 07, 2016 at 08:30:54PM -0600, Tom Browder wrote:
> On Mon, Mar 7, 2016 at 5:13 PM, Viktor Dukhovni
> <postfix-us...@dukhovni.org> wrote:
> > On Mon, Mar 07, 2016 at 03:18:11PM -0600, Tom Browder wrote:
> >
> >> I have a server with several vhosts. I am working on providing mail
> >> services to each with TLS. I have server CA certs and unlocked keys
> >> for each individual vhost.
> >
> > When you say "vhost", what do you mean?
>
> Virtual hosts.
Gee thanks, but I'm not that thick. There are lots of things people
call virtual hosts. There are, for example, virtual hosts with
server software like Apache httpd implemented at the application
layer and virtual hosts on hypervisors where multiple OS images
run on the same hardware. What did you have in mind?
> >> Is the right way to handle that to put ALL the cert and associated
> >> files in the "smtpd_tls_CApath" directory and run "c_rehash" on that
> >> directory?
If you have a hypervisor and VMs, those don't usually share the
filesystem, so the question about smtpd_tls_CApath seems out of
place for that. And I've not heard of Multi-instance Postfix
deployments referred to as "virtual hosts", but that's not too
crazy a way of talking about it.
> > No, that's mostly for verifying client certs and has very little
> > to do with server certificates.
>
> Okay.
>
> >> Or should I keep the three different types of files
> >> concatenated into three files, one of each type?
> >
> > Typically, best to create a complete separate chain file for each
> > keypair, however it is likely useful to understand how you're
> > managing the various server identities. Multi-instance Postfix?
> > Multiple smtpd(8) listeners in master.cf? ...
>
> Um, I haven't gotten that far, although I need to investigate that.
So what exactly is your question then?
> I intend to use Mailman 3 for managing mailing lists associated with
> each virtual host.
>
> As it stands, I have an MX record for each virtual host, each pointing
> to the "real" host.
What's a "virtual host" again? Just multiple domains sharing a
common MX record? Then you only need one certificate.
> Right now I'm just trying to get smtp access from my local host and
> would like to use TLS and client certs.
This is too vague to mean anything.
--
Viktor.
