Changing domain name and certificates

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Changing domain name and certificates

ibrewster
We are currently in the process of changing our domain name, and were wondering if there was any way for postfix (and Dovecot, but that’s a different mailing list) to present different certificates depending on what domain name users are connecting with? That is, for a period of time we want users to be able to connect using either the old domain name or the new domain name, without getting an error. We don’t, however, want to separate the domains - a given user should be able to receive and send mail from either domain interchangeably, as per the mydestination configuration directive (as I understand it). Is this possible, or will we need to simply change the certificate to the new domain, with the caveat that some users will be getting certificate errors until we can get around to changing their setup?

-----------------------------------------------
Israel Brewster
Computer Support Technician II
Era Alaska
5245 Airport Industrial Rd
Fairbanks, AK 99709
(907) 450-7250 x7293
-----------------------------------------------




Israel Brewster.vcf (525 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Changing domain name and certificates

lists@rhsoft.net

Am 31.01.2014 19:59, schrieb Israel Brewster:
> We are currently in the process of changing our domain name, and were wondering if there was any way for postfix
> (and Dovecot, but that’s a different mailing list) to present different certificates depending on what domain name
> users are connecting with? That is, for a period of time we want users to be able to connect using either the old
> domain name or the new domain name, without getting an error. We don’t, however, want to separate the domains - a
> given user should be able to receive and send mail from either domain interchangeably, as per the mydestination
> configuration directive (as I understand it). Is this possible, or will we need to simply change the certificate to
> the new domain, with the caveat that some users will be getting certificate errors until we can get around to
> changing their setup?

if it is *really* important spend some money and get a
new certificate with both domains as SAN

http://en.wikipedia.org/wiki/Subject_Alternative_Name

http://www.godaddy.com/ssl/ssl-certificates.aspx
multiple domains UCC - € 112.99 per year
Reply | Threaded
Open this post in threaded view
|

Re: Changing domain name and certificates

Noel Jones-2
In reply to this post by ibrewster
On 1/31/2014 12:59 PM, Israel Brewster wrote:

> We are currently in the process of changing our domain name, and
> were wondering if there was any way for postfix (and Dovecot, but
> that’s a different mailing list) to present different certificates
> depending on what domain name users are connecting with? That is,
> for a period of time we want users to be able to connect using
> either the old domain name or the new domain name, without getting
> an error. We don’t, however, want to separate the domains - a given
> user should be able to receive and send mail from either domain
> interchangeably, as per the mydestination configuration directive
> (as I understand it). Is this possible, or will we need to simply
> change the certificate to the new domain, with the caveat that some
> users will be getting certificate errors until we can get around to
> changing their setup?
>


Your best bet is to set up the new domain name on a separate IP
address, and present the proper certificates there.

You can configure a single postfix instance to listen on multiple
IPs and define which certificate goes with which IP using master.cf
-o overrides.




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Changing domain name and certificates

ibrewster
I’ll have to look into that. While I think I can figure it out easily enough (looks like I would need to override the inet_interfaces and smtpd_tls_cert/key file directives), is there an example of this sort of configuration somewhere?

-----------------------------------------------
Israel Brewster
Computer Support Technician II
Era Alaska
5245 Airport Industrial Rd
Fairbanks, AK 99709
(907) 450-7250 x7293
-----------------------------------------------




On Jan 31, 2014, at 10:12 AM, Noel Jones <[hidden email]> wrote:

> On 1/31/2014 12:59 PM, Israel Brewster wrote:
>> We are currently in the process of changing our domain name, and
>> were wondering if there was any way for postfix (and Dovecot, but
>> that’s a different mailing list) to present different certificates
>> depending on what domain name users are connecting with? That is,
>> for a period of time we want users to be able to connect using
>> either the old domain name or the new domain name, without getting
>> an error. We don’t, however, want to separate the domains - a given
>> user should be able to receive and send mail from either domain
>> interchangeably, as per the mydestination configuration directive
>> (as I understand it). Is this possible, or will we need to simply
>> change the certificate to the new domain, with the caveat that some
>> users will be getting certificate errors until we can get around to
>> changing their setup?
>>
>
>
> Your best bet is to set up the new domain name on a separate IP
> address, and present the proper certificates there.
>
> You can configure a single postfix instance to listen on multiple
> IPs and define which certificate goes with which IP using master.cf
> -o overrides.
>
>
>
>
>  -- Noel Jones


Israel Brewster.vcf (525 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Changing domain name and certificates

Noel Jones-2
On 1/31/2014 1:46 PM, Israel Brewster wrote:

> I’ll have to look into that. While I think I can figure it out easily enough (looks like I would need to override the inet_interfaces and smtpd_tls_cert/key file directives), is there an example of this sort of configuration somewhere?
>
> -----------------------------------------------
> Israel Brewster
> Computer Support Technician II
> Era Alaska
> 5245 Airport Industrial Rd
> Fairbanks, AK 99709
> (907) 450-7250 x7293
> -----------------------------------------------
>
>
>
>
>
> On Jan 31, 2014, at 10:12 AM, Noel Jones <[hidden email]> wrote:
>
>> On 1/31/2014 12:59 PM, Israel Brewster wrote:
>>> We are currently in the process of changing our domain name, and
>>> were wondering if there was any way for postfix (and Dovecot, but
>>> that’s a different mailing list) to present different certificates
>>> depending on what domain name users are connecting with? That is,
>>> for a period of time we want users to be able to connect using
>>> either the old domain name or the new domain name, without getting
>>> an error. We don’t, however, want to separate the domains - a given
>>> user should be able to receive and send mail from either domain
>>> interchangeably, as per the mydestination configuration directive
>>> (as I understand it). Is this possible, or will we need to simply
>>> change the certificate to the new domain, with the caveat that some
>>> users will be getting certificate errors until we can get around to
>>> changing their setup?
>>>
>>
>>
>> Your best bet is to set up the new domain name on a separate IP
>> address, and present the proper certificates there.
>>
>> You can configure a single postfix instance to listen on multiple
>> IPs and define which certificate goes with which IP using master.cf
>> -o overrides.
>>
>>
>>
>>
>>  -- Noel Jones
>


Probably the minimum is myhostname and the key/cert files. Something
like:

# master.cf

10.0.0.101:25   inet  n   -    n   -   -  smtpd
  -o myhostname=old.example.com
  -o smtpd_tls_key_file=/path/to/old.key
  -o smtpd_tls_cert_file=/path/to/old.cert

10.0.0.102:25   inet  n   -    n   -   -  smtpd
  -o myhostname=new.example.com
  -o smtpd_tls_key_file=/path/to/new.key
  -o smtpd_tls_cert_file=/path/to/new.cert




  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Changing domain name and certificates

A. Schulze

Noel Jones:

> Probably the minimum is myhostname and the key/cert files. Something
> like:
>
> # master.cf
>
> 10.0.0.101:25   inet  n   -    n   -   -  smtpd
>   -o myhostname=old.example.com
>   -o smtpd_tls_key_file=/path/to/old.key
>   -o smtpd_tls_cert_file=/path/to/old.cert
>
> 10.0.0.102:25   inet  n   -    n   -   -  smtpd
>   -o myhostname=new.example.com
>   -o smtpd_tls_key_file=/path/to/new.key
>   -o smtpd_tls_cert_file=/path/to/new.cert

use macros!

# main.cf:
smtpd_tls_key_file = /etc/ssl/${myhostname}/key.pem
smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert+intermediate.pem

# master.cf
10.0.0.101:25   inet  n   -    n   -   -  smtpd
  -o myhostname=old.example.com
10.0.0.102:25   inet  n   -    n   -   -  smtpd
  -o myhostname=new.example.com

Filesystem:
   /etc/ssl/old.example.com/key.pem
   /etc/ssl/old.example.com/cert+intermediate.pem
   /etc/ssl/new.example.com/key.pem
   /etc/ssl/new.example.com/cert+intermediate.pem

Andreas