Hello,
I installed SSL Let’s Encrypt certificate on a small VPS and domains work fine with independent SSL certificate and Apache. Unfortunately, the emails for each domain does not work with SSL, due to the certificate mismatch which is a problem of Postfix, this is the VPS software: Reference:
Virtualmin - Let’s Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup Virtualmin - Let's Encrypt SSL - Postfix - Dovecot - Multiple Domain Setup | Virtualmin
Software Versions Operating system CentOS Linux 7.8.2003
Perl version 5.016003
BIND version 9.11 Postfix version 2.10.1
Apache version 2.4.6
PHP versions 5.4.16, 5.6.25, 7.2.24
Webalizer version 2.23-08
Logrotate version 3.8.6
MySQL version 5.5.65
ProFTPD version 1.35
SpamAssassin version 3.4.0
ClamAV version 0.99.2 Webmin version 1.942
Virtualmin version 6.09
Usermin version 1.791
Postfix version 3.4 works with SNI solving the issue with virtual domains and SSL email using SNI.
Question: Can I safely upgrade Postfix version 2.10.1 to Postfix 3.4 on CentOS 7.8.2003 ? Postfix 3.4 is not in base repository, only verrsion 2:2.10.1-9.el7 is.
Thanks and regards.
joejac
I don’t recommend it. I recommend using one domain for mail purposes.
You will currently have to manage the configuration yourself (Virtualmin does not yet support managing SNI in Postfix) even if you upgrade. The next version of Virtualmin will have beta support for SNI in Postfix when the version on your OS supports it, but I would only recommend it for development/testing deployments for the near future, since it’s complicated new functionality. It’ll be officially supported by Virtualmin 7 in a few weeks…but, even then it’s probably wise to stick with one domain for mail on production systems until there’s been some time for bugs to shake out.
Anyway, I don’t know if you can safely upgrade Postfix. I’ve never done it, and I suspect you’ll need to build your own package (you definitely should not install from source on a production system) and that may prove to be non-trivial.
I cannot agree more! It might cause issues, which would need some experience to fix it. We would like to point out, that we wouldn’t be able to support it. However, if you feel you want to try, go ahead and let us know how did it go. I would backed up /etc/postfix, /etc/webmin and actually complete /etc directory first.
Remember, that you could always go back to stock Postfix by swapping the packages back by using yum/dnf command.
Note: Only upcoming Virtualmin 6.10+ release will have SNI support for Postfix 3.4+.
Reasons?
I am posting this in a good faith, believing that CentOS 7 and CentOS 8 users would want SNI support in Postfix sooner than EOL (2024 and 2029).
Warning!
The following instructions, at the moment, were only tested on debug machine without deep testing. However, quick tests show that everything is going to work just fine.
How to get Postfix 3.5+ on CentOS 7 with SNI support?
Install GhettoForge repos for CentOS 7 first by running the following command: yum --nogpg install https://mirror.ghettoforge.org/distributions/gf/gf-release-latest.gf.el7.noarch.rpm
Enable conflicting repo, that replaces default packages from CentOS 7 by running: yum-config-manager --enable gf-plus
Limit installable candidates to Postfix only by running: yum-config-manager --save --setopt=gf-plus.includepkgs=postfix*
Swap default Postfix 2.x with latest Postfix 3.x by running: yum clean all && yum swap -- remove postfix -- install postfix3
How to get Postfix 3.5+ on CentOS 8 with SNI support?
Install GhettoForge repos for CentOS 8 first by running the following command: dnf --nogpg install https://mirror.ghettoforge.org/distributions/gf/el/8/gf/x86_64/gf-release-8-11.gf.el8.noarch.rpm
Enable conflicting repo, that replaces default packages from CentOS 8 by running: dnf config-manager --enable gf-plus
Limit installable candidates to Postfix only by running: dnf config-manager --save --setopt=gf-plus.includepkgs=postfix*
Swap default Postfix 2.x with latest Postfix 3.x by running: dnf clean all && dnf swap postfix postfix3
Update lib path for new package by running: sed -i -e 's/\/usr\/lib64\/postfix/\/usr\/lib\/postfix/g' /etc/postfix/main.cf
After doing the steps above, check Postfix version by running:
postconf -d mail_version
Restart Postfix service and check on status to make sure it’s working as expected:
systemctl restart postfix && systemctl status postfix
That’s how I like it. Same MX for all two of my domains. SNI support is exciting nonetheless.
I might give this tutorial a whirl if the official release doesn’t beat me to it. But I’m not clear about something. Your instructions talk about Postfix 3.5 while 3.4 is mentioned for Virtualmin 6.10. Is this a matter of what repositories should and shouldn’t ship with Virtualmin?
We don’t ship it. Postfix 3.5 is bleeding edge, I would say. Only Fedora Server has version 3.5.2 by default. Version 3.4 is first Postfix release that supports SNI.
Hello and thanks to all for your fast and kind responses.
Thanks a lot for your time @Joe. Your advice is wise, especially because I have Centos 7 and I do not want an unhappy surprise. I will use the server domain for mail server for all the domains with emails through the MX record. Fortunately, not all domains have emails.
@Ilia thank you very much for your valuable time in your detailed response, it is good to know the procedure, but I will stay with the standard repos, is a production server. Centos usually has outdated packages, but it is pretty stable, I am not a Pro in Linux administration, for that reason I use Webmin/Virtualmin with Centos that has been of great help to me. I want to keep my VPS installation as simple, clean, and free of trouble as possible.
Best regards.
Joejac
