I am trying to wrap my head around the proper way to do a let’s encrypt for multiple domains in PostFix. It seems my current setup only has one cert for postfix. Every time I do a “copy to Postfix” it overwrites whatever was there last. This tends to generate messages for clients.
What is the proper way to fix this?
Say I have j2sw.com and startawisp.com. Both have different mail servers that need a cert. What is the proper way to have a cert for each? Hope this is clear enough.
Yes, due to limitations in Postfix, you can only have one SSL certificate per IP address.
If you use multiple IP addresses, it would be possible to have more than one SSL certificate.
Otherwise, it’s necessary to share one SSL certificate for all your users on that IP address.
so best practice would be to use a SSL cert for postfix for the hostname? And then any of the hosted virtual servers will be okay? Just tryin to walk through this in my head. For example, my host is vhost7. and I have j2sw.com. If I use mail.j2sw.com as a mail server, will it just use the vhost7 cert and be happy?
Think about the way Gmail sets up things. When you sign up for their service and use a “custom domain” (paid service) it still uses “imap.gmail.com” and “smtp.gmail.com” (they have separate servers serving up each of the services). This way you are sharing a single TLS certificate rather than them delegating one specific for your domain.
The best practices I recommend is setting up a hostname that you wish to use for email communication, then assign an SSL certificate to that domain, and copy it to both Postfix and Dovecot. This way for instance you could have “mail.server-hostname.com” with TLS support.
Once you’ve setup the above, each domain that is hosted would simply use “mail.server-hostname.com” to send and receive email.
If you have any further questions, feel free to drop me an email and we can setup a one-on-one session to go over things in greater detail.
We used this method for years and it worked well, for the most part. The biggest problem I found was that when you migrate the customer domain to a new Virtualmin server (for example, we just retired Ubuntu Server 14.04) , their mail clients all ‘broke’.
Ideally, we would use ‘mail.theclientdomain.tld’, with their own SSL cert that secures all services so that when their virtual server is migrated again to the next generation of (Virtualmin) server, it would all still ‘just work’.
Supposedly, you can assign a static public IP to the virtual server and it will work just like this. I haven’t been successful with that, so far…still workin’ on it.
Postfix is not supporting SNI, but it is possible as simple “SNI” through Letsencrypt certificate.
For 5 domain like:
dom[2.5].example use LetsEnrypt with DNS names in it.
So in this way one domain is MX which is used for communication betwen SMTP server -> to external server and vice versa.
Other domain names , certificate DNS names, can be used for ssl configuration between clients and mail server (pop3s, Imaps, SMTPS)
Checked on 5 different domains on one Postfix server.
thing is: even if you set SSL for [hostname], every time an new domain/host/site w. SSL is added to that instance, the latest SSL cert generated and installed seems to replace the existing one in postfix on that instance/server?