Hello,
I have virtualmin installed with several virtual servers
Each virtual server have users and email accounts
I can send emails but I can’t receive emails.
If I try to send an email from a gmail account to one of the emails of my virtual servers that gmail account receives and email back that says:
There was a temporary problem delivering the message to xxxx
This is the response from the remote server:
454 4.7.0 TLS not available due to local problem
It only receive emails from email accounts from other domains in the same server
And I just tried with mail.com and I’m receiving emails from mail.com
Seems that only fails form gmail that problably forces TLS/SSL encryption
Any suggestion?
Regards
Operating system: CentOS OS version: CentOS 7 2009
I’m no kind of a Postfix expert, but I’m pretty certain that if you’re not using SNI, then only the cert for the hostname domain gets copied to Postfix and Dovecot.
Postfix on CentOS does not have SNI. You cannot possibly use more than one certificate. Pick one (1) domain to use for mail, and click “Copy to Postfix”. Stop there. You’re done. Use that domain for anything that interacts with SMTP, always.
No. “Copy to” is always to choose a default domain for TLS for the service…even in cases where a service supports SNI (e.g. new versions of Dovecot), if you click “Copy to” it does not effect the other domains. It makes no sense to ever click “Copy to” for more than one domain for any service. If SNI is supported in both the service an in Virtualmin’s configuration capabilities for the service, it will always be done automatically (unless otherwise disabled). Clicking it for more than one domain switches to the most recent domain for which you clicked it, which is obviously not what you want. Pick the domain you want to use for SMTP HELO and stop there.
Edit: We’re going to relabel the “Copy to…” options in the near future, as they cause way too much confusion even among people with Virtualmin experience. I’m not sure exactly how it will read after that change, but if anybody has opinions on how to word it so that people don’t misinterpret it so often, please don’t hesitate to chime in on this ticket: Copy to... for certs still confuses people a lot. · Issue #247 · virtualmin/virtualmin-gpl · GitHub
That’s surprising. I know I upgraded it myself, but it’s been available for… I think almost a year? I’d think CentOS would have made it the default install by now.
Not surprising at all. CentOS never changes the version during the lifecycle of the release. CentOS 7 has the same Postfix version (with minor patches) that it had when the OS was first released, and CentOS 7 will reach EOL with that same version. And, they never choose cutting edge versions at the beginning of a release…it’s always going to be a version that’s been beaten up in Fedora for a few months or years. That’s the promise RHEL and CentOS make: Stability and compatibility. That’s what you’re signing up for when you choose CentOS. It’s a feature, not a bug, but it does lead to annoyingly old versions of software sometimes.
Hello,
I just selected the virtual server of the main domain.
In Virtualmin > Server Configuration > SSL Certificate > Service Certificates
I Copied to Postfix
And now I tested an email accoutn from each domain and it works
I’m even receiving the emails from days ago from the gmail account.
Gmail is keep trying to send me those emails.
Thank you.
Hello,
I understood perfectly the meaning of “Copy to”
But I didn’t have knowledge about SNI, and Postfix has no SNI but it is used by other services.
I’m not a profesional sysadmin
That’s why I didn’t understand if it needs to copy from every domain cuz I’m thinking that it has to work in the same way like other services.
Forget SNI. The ancient version of Postfix that CentOS installs doesn’t support it. I didn’t know that, even though I should have because I updated it myself.
Apache does, however, which is why you don’t need separate IP addresses for every https site like we did in olden times.
You should not copy from every domain for services that support SNI, either. That’s what I’m saying: Copy to… does not work the way most people assume it works. It is for one certificate (and only one) that will be the default, in cases where the service does not support SNI or in the case where the service does support SNI but the domain you’re using to connect to the service does not have a certificate that Virtualmin knows about.
You only ever “Copy to…” one (1) time, no matter what the service is. And…it’s not even necessary to do that for services that support SNI, because any domain that has a cert already gets the right cert configured automatically. Clicking it for more than one domain can only ever switch which domain cert is the “default”. But, for most services you shouldn’t care about the “default”. (This is why we have to change that label. Nobody ever assumes it does what it actually does.)