Postfix and multiple SSL certificates

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

If you ever wanted to use your Postfix with multiple SSL certificates for different domains, here is how.


List of requirements[edit]

  • separate IP for each SSL certificate
  • different domains you will use for your mail (say, example.com and example2.com)
  • separate SSL certificate for each domain


The change will involve:

  • modifying /etc/postfix/main.cf
  • modifying /etc/postfix/master.cf


Modifying /etc/postfix/main.cf[edit]

Comment out smtpd_tls_key_file and smtpd_tls_cert_file directives. smtpd_tls_CAfile can stay, if the certificates you’re using are from the same SSL vendor.

Example:

#smtpd_tls_key_file = /etc/postfix/keys/mail.example.com.key
#smtpd_tls_cert_file = /etc/postfix/keys/mail.example.com.crt
smtpd_tls_CAfile = /etc/postfix/keys/mail.example.com.bundle

Modifying /etc/postfix/master.cf[edit]

Where you previously had Postfix master listening on all interfaces (for smtp/25, smtps/465, submission/587), and thus, using one SSL certificate (the one defined in /etc/postfix/main.cf):

smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100

smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

You should now modify it to use different IP addresses and different SSL certificates – for example, for mail.example.com and mail.example2.com:

# your regular SSL certificate will be set up on localhost, external IPv4 and external IPv6 addresses:

# localhost
127.0.0.1:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

127.0.0.1:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

127.0.0.1:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# IPv4
178.63.195.102:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

178.63.195.102:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

178.63.195.102:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# IPv6
[2a01:4f8:120:14c4::1111]:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

[2a01:4f8:120:14c4::1111]:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt

[2a01:4f8:120:14c4::1111]:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example.com.crt


# different SSL certificate on a different IPv4 address: mail.example2.com
178.63.195.100:smtp      inet  n       -       y       -       20      smtpd
-o smtpd_proxy_filter=127.0.0.1:10024
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=100
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.mcfeedback.com
-o smtpd_banner=mail.mcfeedback.com

178.63.195.100:smtps   inet    n       -       y       -       -       smtpd
-o content_filter=dksign:127.0.0.1:10027
-o smtpd_client_connection_count_limit=10
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.example2.com
-o smtpd_banner=mail.example2.com

178.63.195.100:submission  inet  n     -       y       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_tls_key_file=/etc/postfix/keys/mail.example2.com.key
-o smtpd_tls_cert_file=/etc/postfix/keys/mail.example2.com.crt
-o smtp_helo_name=mail.example2.com
-o smtpd_banner=mail.example2.com

That’s it! Restart Postfix, and you should be done.

For information on how to set up Cyrus to use multiple certificates, see this article.