0

I've got problem setting up postfix to listen on few (3 actually) IP addresses, on port 25, using correct SSL certificates.

Background: I'm using Debian 11, with Postfix (v 3.5.6 from repo)/Dovecot and ISPConfig as hosting panel. I've got few IP addresses that are working fine, there are domain names with record A pointing on IP, and correct revDNS for every IP. Every domain got correct certificate generated to use. Firewall is configured properly, and almost everything is working like i would expect.

My current state is that Postfix listen correctly on port 465 and 587 on all defined IP addresses (including 127.0.0.1) - and also respond with correct certificates on that ports. But on port 25 it is always use certificate of 1st domain - even when connecting to other IPs (domain names). Also Dovecot is using certs (but configuring Dovecot was very easy for that and it works like it should with IMAP and POP3). I do not know, where i do mistake configuring Postfix for that. The only thing i do not want to do, is postfix "multiple instances" - because ISPConfig do not support them at all (it even do not support more than one IP for Dovecot/Postfix at all, or any kind of SNI for them).

My current config looks like that: main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
# 
# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domain1.com, localhost, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
# OEYG inet_interfaces = all
inet_interfaces = 127.0.0.1 xx.xx.xx.x1 xx.xx.xx.x2 xx.xx.xx.x3
# ORYG inet_protocols = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, permit_dnswl_client swl.spamhaus.org, permit_dnswl_client ip4.white.polspam.pl, permit_dnswl_client ip6.white.polspam.pl, reject_rbl_client spam.spamrats.com, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client all.s5h.net, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users = 
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0

My master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# smtp      inet  n       -       y       -       -       smtpd
127.0.0.1:smtp inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-local
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtp inet n       -       y      -       -       smtpd
 -o syslog_name=postfix/smtp-d1
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x2:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d2
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
xx.xx.xx.x3:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d3
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#
127.0.0.1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=localhost
 -o smtp_bind_address=127.0.0.1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o myhostname=localhost
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain1
 -o smtp_bind_address=xx.xx.xx.x1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain2
 -o smtp_bind_address=xx.xx.xx.x2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain3
 -o smtp_bind_address=xx.xx.xx.x3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
## smtps     inet  n       -       y       -       -       smtpd
## -o syslog_name=postfix/smtps
## -o smtpd_tls_wrappermode=yes
## -o smtpd_sasl_auth_enable=yes
## -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
127.0.0.1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d1/smtps
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d2/smtps
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d3/smtps
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
domain1-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x1
    -o smtp_helo_name=domain1
    -o syslog_name=postfix-domain1
    -o smtpd_tls_cert_file=/etc/domain1.crt
    -o smtpd_tls_key_file=/etc/domain1.key
domain2-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x2
    -o smtp_helo_name=domain2
    -o syslog_name=postfix-domain2
    -o smtpd_tls_cert_file=/etc/domain2.crt
    -o smtpd_tls_key_file=/etc/domain2.key
domain3-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x3
    -o smtp_helo_name=domain3
    -o syslog_name=postfix-domain3
    -o smtpd_tls_cert_file=/etc/domain3.crt
    -o smtpd_tls_key_file=/etc/domain3.key
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

When starting postfix in /var/log/mail.log there is:

postfix/postfix-script[2714262]: starting the Postfix mail system
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x2:smtps" ([xx.xx.xx.x2]:465) -- using the last ent
ry
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x3:smtps" ([xx.xx.xx.x3]:465) -- using the last ent
ry
postfix/master[2714264]: daemon started -- version 3.5.6, configuration /etc/postfix

This log is strange for me, because port 465 is working fine on every domain name.

For testing i'm using other server and this commands:
openssl s_client -starttls smtp -showcerts -connect domainX:25 -servername domainX
openssl s_client -starttls smtp -showcerts -connect domainX:587 -servername domainX
openssl s_client -showcerts -connect domainX:465 -servername domainX

Marcin Wilk
  • 3
  • 1
  • Try specifying correct values for `inet_interfaces` for those services in the `master.cf` too. Also, you can try to get around its detection of duplicate services by defining aliases like `smtp1 25/tcp` and so on in the `/etc/services` file, and using those `smtp1` etc. in the `master.cf`. – Nikita Kipriyanov Jun 15 '22 at 10:12

2 Answers2

1

Your master.cf contains typos.

Looks like you meant to setup smtpd (server) services in port submission (587), smtpd on port smtps (465), smtpd on port smtp (25) and smtp (client) transports for each domain.

But the first occurrence of xx.xx.xx.x2:smtps and the first occurrence of xx.xx.xx.x3:smtps does not match that scheme. Looks like you meant to write smtp there. The second occurrence for each respectively looks like the intended one for smtps (as evidenced by the smtpd_tls_wrappermode option).

After fixing this and restarting postfix, call ss -tulpn to verify which IP/port combinations postfix is actually listening on. I expect to see each of port 25, port 587 and port 465 on to be offered on four IPv4 addresses (including loopback).

By the way, specifying smtpd_* options on the smtp service is without effect. Your domain*-out smtp (client!) services do not present certificates when delivering.

Also, the whole effort seems.. much trouble for no gain. It is one server, why does it pretend to be 3? By accepting incoming mail in different places, you are just making diagnostics harder.

anx
  • 6,875
  • 4
  • 22
  • 45
  • 1
    The last paragraph seems to be very true. A strange effort with no gain. Also considering it will need the DNS and myhostname configuration, binding to correct IP addresses during the delivery, the whole idea seems extremely cumbersome. – Nikita Kipriyanov Jun 15 '22 at 13:08
  • This was the problem. Thank You. I feel blind i didn't notice this. And i also must say that i agree that it's place for troubles. I had to do that, because some users are moving from different servers. To make change smooth for them i just added new IP and want to move domain from old server to new one (so their clients will just work out of the box). After that i may slowly reconfigure mail clients software to new domains. Thank You for help! – Marcin Wilk Jun 16 '22 at 12:00
0

With ISPConfig..

you can do this more easy..

Create a "base" mail host in the websites. *( i use this one for all my clients there webmail. So i created mail.my-hosting-domain.tld.

add letsencrypt to it so you get the correct certificates. Now add a new mailhostname into it.

letsencrypt will generate a multi host certificate. done.

And offcourse, match the needed DNS record to this. Any customer can goto mail.there-domain.tld and postfix shows all correct hostnames in the certificates.

ThcTLo
  • 1
  • 1
    One *does not need* multi host certificate for the mail server. Mail server should never appear under multiple different hostnames. [Problems will occur](https://serverfault.com/questions/1101230/spamhaus-org-is-blocking-our-ip-because-we-use-multiple-unrelated-helo-values/1101256#1101256). – Nikita Kipriyanov Jun 15 '22 at 13:12
  • why not? im running this for years now, and as long everything complies to RFC's, its all fine. – ThcTLo Jun 15 '22 at 14:30