Hi Joe,
Sorry for the extremely long delay in replying to this thread. Just a few weeks ago I worked on this again and managed to get it working properly for postfix as well, and, it is actually not that difficult, but it is quite longwinded.
I will post anonymised versions of both my main.cf and master.cf, although for the purposes of getting postfix to use separate certificates for each domain, the only changes required are in the master.cf file.
The server in this example has a main IP address, which was the original IP address provided with the server, I will refer to this server as xxx.yyy.zzz.1, and the hostname server.tld, I then illustrate 2 additional domains, with IP addresses xxx.yyy.zzz.2 and xxx.yyy.zzz.3, with names domain1.tld and domain2.tld.
With this configuration, the server will accept connections on port 25, 465 and 587, with port 465 used for SMTPS connection and 587 for STARTTLS. In addition, the SMTP server will announce itself with the domain name of the domain associated with the IP address, and when certificates are used, the correct certificate will be presented for the individual domain.
The main.cf is as follows (although this can really be the default main.cf of the installed server):
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
Debian specific: Specifying a file name will cause the first
line of that file to be used as the name. The Debian default
is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
appending .domain is the MUA’s job.
append_dot_mydomain = no
Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
message_size_limit = 104857600
See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination reject_rbl_client zen.spamhaus.org
myhostname = server.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost.com, , localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_transport
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:10023
allow_percent_hack = no
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
milter_default_action = accept
milter_protocol = 2
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
smtp_tls_security_level = dane
Now we come to the master.cf file. What one must bear in mind is that any setting in the main.cf file can be overridden in the master.cf file, and it can be done on a per IP and protocol version. There are probably better ways of doing this, I am not a postfix expert, and I have not done much additional experimentation, and the posted configuration ‘works for me’!
master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
xxx.yyy.zzz.1:smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
localhost
127.0.0.1:smtp inet n - y - - smtpd
127.0.0.1:submission inet n - y - - smtpd
server ip
xxx.yyy.zzz.1:submission inet n - y - - smtpd
domain1.tld
xxx.yyy.zzz.2:smtp inet n - y - - smtpd
-o smtpd_tls_cert_file=/home/domain1/ssl.cert
-o smtpd_tls_key_file=/home/domain1/ssl.key
-o smtpd_tls_CAfile=/home/domain1/ssl.ca
-o myhostname=domain1.tld
xxx.yyy.zzz.2:smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_cert_file=/home/domain1/ssl.cert
-o smtpd_tls_key_file=/home/domain1/ssl.key
-o smtpd_tls_CAfile=/home/domain1/ssl.ca
-o smtpd_tls_wrappermode=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=domain1.tld
xxx.yyy.zzz.2:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/home/domain1/ssl.cert
-o smtpd_tls_key_file=/home/domain1/ssl.key
-o smtpd_tls_CAfile=/home/domain1/ssl.ca
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=domain1.tld
domain2.tld
xxx.yyy.zzz.3:smtp inet n - y - - smtpd
-o smtpd_tls_cert_file=/home/domain2/ssl.cert
-o smtpd_tls_key_file=/home/domain2/ssl.key
-o smtpd_tls_CAfile=/home/domain2/ssl.ca
-o myhostname=domain2.tld
xxx.yyy.zzz.3:smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_cert_file=/home/domain2/ssl.cert
-o smtpd_tls_key_file=/home/domain2/ssl.key
-o smtpd_tls_CAfile=/home/domain2/ssl.ca
-o smtpd_tls_wrappermode=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=domain2.tld
xxx.yyy.zzz.3:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/home/domain2/ssl.cert
-o smtpd_tls_key_file=/home/domain2/ssl.key
-o smtpd_tls_CAfile=/home/domain2/ssl.ca
-o milter_macro_daemon_name=ORIGINATING
-o myhostname=domain2.tld
On the original server I have 11 secure domains, what is also great is that if one of them happens to be injected with some sort of spambot, and it starts spamming (although this has never happened to me because I have great methods of checking for security breaches on my servers - using git by for this by the way!), it does not affect any of the other domains on the same server. It would also be possible to host insecure sites on the base IP address, and in this case, it would also be possible to set up a common mail server for clients on the base IP address, but in this instance I do not - I offer a premium service to clients on this particular server.
From the main.cf you will also note I am using spamhaus which I find extremely effective in combination with greylisting to combat spam, I very seldom get any clients complaining of being spammed, and certainly with my spam filtering techniques, I am unaware of any mails being lost into spam filters.
This is clearly a solution for a server with multiple IP addresses, it is NOT a solution for hosting multiple servers on the same IP address.
I hope this is in some way useful, and could potentially enhance a wonderful product. I certainly hope if it finds it’s way to inclusion in Virtualmin, along with the Dovecot solution.
Hamish