Certificat Problems with Postfix SSL Delivery SMTP

Good Evening,

i have a problem with my Postfix mail server on the Virtualmin server. I’ve been trying for a long time to figure out why I can’t send via SSL.

Initial situation:

I have several domains. Each domain has its own Lets Encrypt certificate and I also provided this for Postfix and Dovecot. However, Postfix always takes the wrong domain when sending SMTP and complains about it because the certificate would be wrong. (e.g. Did I assign a certificate to domain a.xy, but Microsoft Outlook says that the principal name is wrong because the certificate belongs to domain b.xy).

What could be the reason and what details do you need from me ?


See /usr/share/postfix/main.cf.dist for a commented, more complete version

Debian specific: Specifying a file name will cause the first

line of that file to be used as the name. The Debian default

is /etc/mailname.

#myorigin = /etc/mailname

sender_canonical_maps = hash:/etc/postfix/sender_canonical

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

appending .domain is the MUA’s job.

append_dot_mydomain = no

Uncomment the next line to generate “delayed mail” warnings

#delay_warning_time = 4h

readme_directory = no

See http://www.postfix.org/COMPATIBILITY_README.html – default to 2 on

fresh installs.

compatibility_level = 2

TLS parameters

smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for

information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = vmd39417.contaboserver.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, vmd39417.contaboserver.net, localhost.contaboserver.net, , localhost
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = dane
allow_percent_hack = no
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
mynetworks_style = subnet
mydomain = contaboserver.net

Thanks a lot :slight_smile:

I dont think you should copy the SSL certificate for all Virtual Servers to Postfix unless they have their own IP address.

Postfix can only handle one SSL cert per IP address (as far as I am aware at least). So if you keep copying each Virtual server SSL to Postfix, it uses that one instead of the previous one

The only SSL in Postfix should be your primary system/Webmin one.

There is a whole thread on this forum about this…I will put a link to it tomorrow when I am not on my mobile.


Last night I saw this. It makes sense. One SSL per domain + IP. I use server SSL for FQDN for all other domains

Adam’s right. The “copy to Postfix” button is making whichever domain you are currently looking at the SSL domain for Postfix…it doesn’t make sense to do it for every domain. You can only have one.

For all services that support multiple certificates on one IP (Apache, newer versions of Dovecot, Webmin, Usermin) the right certificate will already be served when it can be (I’m pretty sure this is already in there for Dovecot, and definitely for the others). But, some services simply don’t have that capability, and the “copy to” buttons are how you tell it which domain you want to use for those cases. But, it’s not productive to push the buttons for every domain…the last one you click it in will be the one that is used.

1 Like