Set up certs for multiple domains in Postfix and Dovecot

Question

I don't know how to set up main.conf postfix config file and 10-ssl.conf dovecot config files in order to make my mail server capable to handle with multiple certificates. Let me explain... I have two domains at the same server, say

mail.example.it
mail.example.com

and two different certificates for both in different folders

etc/letsencrypt/live/mail.example.it
etc/letsencrypt/live/mail.example.com

The question is how should I set the tls parameters on main.conf of postfix configuration? It seems to support only one entry on

smtpd_tls_cert_file
smtpd_tls_key_file

The same issue on 10-ssl.conf of dovecot configuration: seems to support only one entry for

ssl_cert
ssl_key

Many thanks for help

score 9 · Answer 1 · edited Oct 11 '19 at 21:23

This is done by looking at the unencrypted domain name in the Server Name Indication (SNI) header in the TLS handshake to select the right certificate before any encrypted data is exchanged. At the moment (I'll edit this answer if this changes), Postfix does not support SNI.

Update : SNI support introdcued in postfix 3.4.0 - http://www.postfix.org/announcements/postfix-3.4.0.html

Dovecot, on the other hand, does. See this example configuration:

# Default
ssl_cert = </path/to/default/cert
ssl_key = </path/to/default/private/key

# mail.example.it
local_name mail.example.it {
    ssl_cert = </etc/letsencrypt/live/mail.example.it
    ssl_key = </path/to/mail.example.it/private/key
}

# mail.example.com
local_name mail.example.com {
    ssl_cert = </etc/letsencrypt/live/mail.example.com
    ssl_key = </path/to/mail.example.com/private/key
}

You can leave out each domain's ssl_key if it's the same as the default.

For Dovecot, the example configuration comes from https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support — Gwyneth Llewelyn, Oct 27 '20 at 17:55

score 7 · Answer 2 · answered Jul 11 '18 at 09:27

7

To my knowledge, this is not possible. You have two options:

Use one domain as the MX for all your other domains that the server should handle. So, if you have a cert configured for example.com and you want also handle mails for example.org, set an MX entry pointing to your example.com server into the example.org zone.
Use certs with multiple SANs for every domain you need. This means you have only one cert file that covers all your domains.

answered Jul 11 '18 at 09:27

Sven

97,248
13
177
225

3

New to me: Let's Encrypt now supports SAN mechanism! Otherwise, in case these two domains were from separate customers that wouldn't want their domains to be used for others, I'd have suggested adding a third domain from the service provider as the certificate domain for both. – Esa Jokinen Jul 11 '18 at 09:45
1

What I couldn't find: does Let's Encrypt have a limit for max SAN host names? Using fixed service provider domain would be a better choice with many customer domains if there was such a limit, or if the changes to this domain name list were frequent. – Esa Jokinen Jul 11 '18 at 09:58
2

@EsaJokinen: It's 100 names. `f you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. ` https://letsencrypt.org/docs/rate-limits/ I am not sure, but I believe this is the general limit on SANs in TLS certs. – Sven Jul 11 '18 at 10:00
2

So, not really a problem, because updating the domain list would get to the nerves long before the limit. :) – Esa Jokinen Jul 11 '18 at 10:03

Gwyneth Llewelyn · Answer 3 · 2020-10-23T22:52:51.023

Postfix 3.4 and later now allows SNI maps to deal with multiple certificates for different domains/subdomains:

http://www.postfix.org/postconf.5.html#tls_server_sni_maps

Hints about configuring it properly with Let's Encrypt:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819

In summary, here is what user @MK of the Postfix mailing list says (in case the above link goes down for some reason):

----- main.cf -----
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem,
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
-----

----- /etc/postfix/vmail_ssl.map -----
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
servername.serverdom.com 
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
servername.otherdom.com 
 /etc/letsencrypt/live/servername.otherdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.otherdom.com/fullchain.pem
-----

Then run

$ postmap -F hash:/etc/postfix/vmail_ssl.map

Restart postfix as normal.

Run

$ openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp

$ openssl s_client -connect localhost:25 -servername servername.serverdom.com -starttls smtp

To test: you'll find the hostname under the certificate details. It will match the default server name of the host if there is not a match. Be sure the server name of the host is in the map file for that reason.

Note: I haven't tested this out myself, I was just looking for some hints on how to do it, and by chance came across this SF thread...

lucasart · Answer 4 · 2020-09-12T16:13:04.797

0

While @Billy gave the solution for Dovecot — which works for me, these two posts helped me a lot with Postfix: Postfix and multiple SSL certificates, and Using multiple “myhostname” in postfix.

edited Sep 12 '20 at 16:13

answered Sep 12 '20 at 14:20

lucasart

123
1
9

1

This, of course, requires multiple IP addresses. – Gwyneth Llewelyn Oct 23 '20 at 21:55
Would it work if I used virtual IP addresses internally? – Alex Apr 27 '22 at 16:29

Set up certs for multiple domains in Postfix and Dovecot

4 Answers4