|OS type and version
||CentOS Linux 7.9.2009
Hi, Im having an issue with cert failure in TLS (//email/testTo:).
I have multiple domains with their own SSL certs sharing the same IP address.
For postfix I have to select one domain as the main domain and use that SSL to copy to postfix for all the other domains to use. This means only the main domain has a cert match on TLS. The rest get ‘Cert Hostname DOES NOT VERIFY’ errors on checking their TLS.
Is there any way to solve this?
You cannot do that. The “copy to” button is for one domain. I really thought we’d fixed the UI to make it clear that it doesn’t make sense to click the button for every domain…because the version of postfix you have does not support SNI. You only get one. So, if you’re using an old distro, you use one domain for all mail stuff (this does not mean users can’t send/retrieve for their own domain, it just means the server name they connect to is the one domain you pick as your “main” domain…this is not unusual, it’s extremely new that it’s even been possible to use SNI with a mail server).
Anyway, if you really must have this feature, you need a newer Postfix version (e.g. the one in RHEL/Rocky 8, I believe, supports SNI). Or just have a primary domain that you use for sending mail.
Sorry to be clear I haven’t clicked the ‘copy to’ button on every domain. Say I have domain1.com, domain2.com and domain3.com I have picked domain3.com as my mail domain and clicked ‘copy to postfix’ on that domains SSL management page only.
I’m using gmail send as feature so on all domains I input mail.domain3 as my smtp server and use TLS.
The issue now is when I run a TLS check the hostname does not match on domain1 and domain2 and im getting a cert erroe
I don’t think I understand. Why would you expect the TLS cert in Postfix to verify for other domains when your Postfix can only ever provide one cert (for one domain)?
Fair point. I guess the question i’m asking is how do you send email via another domains mail server without failing the TLS check for having different hostnames?
Perhaps Im setting the MX records incorrectly in that case?
Yeah, using the same mail server name in all of your MX records would be a way to do it. It pretty much boils down to “use one domain for all mail stuff”, as I said above. Clients, servers, etc. Anything that needs to communicate with Postfix (clients or servers sending through it or to it) would need to connect on the right name for the cert you have configured.
And, as I mentioned, newer Postfix versions support SNI (and Dovecot does, too), so if you really want to use different names, you can get a newer distro (I’m not sure RHEL/Rocky has a newer enough version, but I seem to recall it does). But, if “one domain” is good enough for Google, it’s good enough for me and I’ve never had a problem using one name per-server for my mail needs. Google Workspace mail for domains always uses Google MX records for mail…as most mail services do. Wietse went so far as to say he would never implement SNI in Postfix (many years ago) because he thought it was silly to have different names in this situation. But, somebody else implemented it and I guess Wietse caved.
Thanks for the reply Joe.
I think SNI seems neater from the perspective of domain setup and installation i.e. the mail server for domain.com is auto configured as mail.domain.com and the SSL for domain.com is applied to mail.domain.com rather then reconfiguring SSL and MX for mail.chosenmaildomain.com but i get what your saying about using one domain for mail.
I think Wietse is “hier gaan polderen” gone the dutch politician way here.