Different SSL certificate per virtual domain

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Different SSL certificate per virtual domain

Durga Prasad Malyala
Hello All,
I've googled but a bit confused.
I have a server with an IP hosting two different virtual domains.
Both domains need to have their individual SSL certificate like
mail.domain1.com and mail.domain2.com to download and send the same.
Is it possible in Postfix if I have only one public IP and achieve same?
Can you guide me to some links if possible.
Thanks/DP
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Matt Anton
On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:

> Hello All,

Hello,

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.
> Thanks/DP

postconf’s manage has all you need to know to implement SNI support: <http://www.postfix.org/postconf.5.html#tls_server_sni_maps>

But if this isn’t enough, there were in march 2019 excellent posts by Viktor and MK on the list detailing what’s to be done to achieve this:

Viktor’s quote: <http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-tp100786p100802.html>

MK’s quote: <http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819>

hth

--
matt [at] lv223.org
GPG key ID: 7D91A8CA

signature.asc (871 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Durga Prasad Malyala
Thank you. 
Let me check and get back to you. 

Cheers/DP

On Sat, Jun 1, 2019, 18:39 Matt Anton <[hidden email]> wrote:
On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:

> Hello All,

Hello,

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.
> Thanks/DP

postconf’s manage has all you need to know to implement SNI support: <http://www.postfix.org/postconf.5.html#tls_server_sni_maps>

But if this isn’t enough, there were in march 2019 excellent posts by Viktor and MK on the list detailing what’s to be done to achieve this:

Viktor’s quote: <http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-tp100786p100802.html>

MK’s quote: <http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819>

hth

--
matt [at] lv223.org
GPG key ID: 7D91A8CA
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Viktor Dukhovni
In reply to this post by Durga Prasad Malyala
On Sat, Jun 01, 2019 at 06:24:27PM +0530, Durga Prasad Malyala wrote:

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.

This requires at least Postfix 3.4, which is the latest stable
Postfix release.  You may need to build Postfix 3.4.5 from source,
if your O/S does not provide a Postfix 3.4.5 package (O/S packages
may call it 3.4.0, even when patches 1–5 are applied).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Durga Prasad Malyala
On Sun, 2 Jun 2019 at 02:02, Viktor Dukhovni <[hidden email]> wrote:

>
> On Sat, Jun 01, 2019 at 06:24:27PM +0530, Durga Prasad Malyala wrote:
>
> > I've googled but a bit confused.
> > I have a server with an IP hosting two different virtual domains.
> > Both domains need to have their individual SSL certificate like
> > mail.domain1.com and mail.domain2.com to download and send the same.
> > Is it possible in Postfix if I have only one public IP and achieve same?
> > Can you guide me to some links if possible.
>
> This requires at least Postfix 3.4, which is the latest stable
> Postfix release.  You may need to build Postfix 3.4.5 from source,
> if your O/S does not provide a Postfix 3.4.5 package (O/S packages
> may call it 3.4.0, even when patches 1–5 are applied).
>
> --
>         Viktor.

Thanks Viktor.
I'm debating whether to stick to the RPM way of things.  To summarise
- we have Three options.
Option-1
(1) Install by compiling Latest version of Postfix from source. I got
burned in the past while upgrading other software since the
dependencies gave lot of trouble. so this is my lease preferred mode.
Also due to many frequent security related updates now-a-days - I
generally prefer this the least.
Option-2
or (1.1) use repo like Remi - Dont know the impact on other packages.
I don't want any other package to be impacted un-neccesarily.
Option-3
Assuming I want to go the safer older way of using stock RPMs form the
distribution (Centos in this case) and use two different IPs for the
postfix instance - then ideally while sending outgoing mail I have to
ensure that the mails go out from the respective IP of that domain
right.
I've found these documents - is this OK?
https://lxadm.com/Postfix_and_multiple_SSL_certificates
https://www.kutukupret.com/2010/01/02/postfix-bind-sender-domain-to-dedicated-outgoing-ip-address/

If someone can comment on these three options maybe I can document
this somewhere for future and reference to others.

- Regards
DP
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Wietse Venema
Durga Prasad Malyala:
> Option-3
> Assuming I want to go the safer older way of using stock RPMs form the
> distribution (Centos in this case) and use two different IPs for the
> postfix instance - then ideally while sending outgoing mail I have to
> ensure that the mails go out from the respective IP of that domain
> right.

If you can use separate IP addresses, then you do not need SNI.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Viktor Dukhovni
> On Jun 2, 2019, at 8:10 AM, Wietse Venema <[hidden email]> wrote:
>
>> Assuming I want to go the safer older way of using stock RPMs form the
>> distribution (Centos in this case) and use two different IPs for the
>> postfix instance - then ideally while sending outgoing mail I have to
>> ensure that the mails go out from the respective IP of that domain
>> right.
>
> If you can use separate IP addresses, then you do not need SNI.

And there's no need to restrict outbound traffic to separate IPs:

        ; DNS data from various zone files
        ;
        mail.primary.example. IN A 192.0.2.1
        mail.primary.example. IN A 192.0.2.2
        1.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
        2.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
        ;
        ; Ideally, just use mail.primary.example as the MX host
        ; for all the domains!  Per-domain MX host names are
        ; more trouble than they're worth!  Then just get a
        ; certificate for mail.primary.example. and be done.
        ;
        virtual1.example. IN MX mail.virtual1.example.
        mail.virtual1.example. IN A 192.0.2.1
        ;
        ; See above
        ;
        virtual2.example. IN MX mail.virtual2.example.
        mail.virtual2.example. IN A 192.0.2.2

but, if you must have per-domain MX hosts, you can still
have a single certificate for all the names, and avoid SNI.
But, if for some unexpectedly compelling reason you MUST
have separate certificates, then go ahead, but use a single
underlying hostname as "smtp_helo_name = $myhostname", and
map the PTRs for both IPs to that name, just in case some
anti-abuse systems get very picky and want your HELO name
to match the PTR.

Splitting the outbound traffic is a lot more work, since
then you need two separate Postfix instances each with
its own smtp_bind_address, rather than just two separate
entries in master.cf for inbound traffic, if a single
outbound "personality" is enough.

Google and Microsoft deliver outbound mail for hundreds
of thousands of domains from a common pool of outbound
names.  Nobody seems to mind.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Kris Deugau
Viktor Dukhovni wrote:
> Google and Microsoft deliver outbound mail for hundreds
> of thousands of domains from a common pool of outbound
> names.  Nobody seems to mind.

Some of us do mind, but there's really nothing we can do about it
because any spam-control measures we might try would block far too much
mail that our customers want to receive.

Realistically, many other mail systems also relay mail on behalf of many
apparently unrelated domains;  it's rare to have a valid use case for
really truly requiring mail for a given domain to be (apparently)
running on its own dedicated system.

-kgd
Reply | Threaded
Open this post in threaded view
|

Re: Different SSL certificate per virtual domain

Peter Ajamian
In reply to this post by Durga Prasad Malyala
On 2/06/19 7:07 PM, Durga Prasad Malyala wrote:
> Option-2
> or (1.1) use repo like Remi - Dont know the impact on other packages.
> I don't want any other package to be impacted un-neccesarily.

Assuming you're referring to CentOS 7 you can get them from GhettoForge
(GhettoForge has postfix 3.3 for CentOS 6 but due to a newer openssl
requirement will not have 3.4 or newer.

Postfix 3.4 is currently in the gf-testing repo, although I have plans
to move them to gf-plus later this week:

Unfortunately the GF main site is currently down (working on it) but the
mirror and repository are working.  There are google cache copies
available for the relevant pages that you will need from the site:

http://webcache.googleusercontent.com/search?q=cache:A5RZ0nG5UP0J:ghettoforge.org/index.php/Usage+&cd=1&hl=en&ct=clnk&gl=nz&client=firefox-b-e

http://webcache.googleusercontent.com/search?q=cache:JmE1tzw6qqYJ:ghettoforge.org/index.php/Postfix3+&cd=1&hl=en&ct=clnk&gl=nz&client=firefox-b-e

With this version you will have SNI support.


Peter