SNI, multi-homes virtual hosts, accepting mail to local users

I have been 20 questions lately trying to figure out the odds and ends. I figured out everything else but I was wondering if these were possible.

  1. SNI (Server Name Indication). Basically the ability to have multiple virtual servers on the same ip and have ssl enabled.

  2. Multi-homed virtual hosts. Have multiple IPs on the same virtual host. This would be limited to the ips available on the main virtual server. The virtual server may not necessarily use both ips but would rather have them available for use.

  3. Is it possible to setup the mail server to accept mail sent to a particular domain and deliver directly to local users rather than the virtual table? The rest of the domains should be processed like they are now.

Howdy,

Basically the ability to have multiple virtual servers on the same ip and have ssl enabled.

SSL’s limitation is that you can only have one certificate per IP address.

However, if you get a wildcard or UCC SSL cert, those each allow multiple domains per certificate.

If you were to use a wildcard or UCC SSL certificate, you could have multiple Virtual Servers on one IP address all with SSL enabled. It’s just a matter of purchasing the certificate, which costs more than a cert with one domain.

Multi-homed virtual hosts. Have multiple IPs on the same virtual host.

I’m not sure what the use-case for that would be, but at the moment Virtualmin only supports one IP address per Virtual Server.

Is it possible to setup the mail server to accept mail sent to a particular domain and deliver directly to local users rather than the virtual table

Hmm, I’m not sure I follow what you’re trying to get here… the only reason the virtual table exists is to tell the mail system what account to deliver the email to on a multi-domain system.

For each local user you have in a given domain, Virtualmin adds an entry for that user in /etc/postfix/virtual. I don’t know that there’d be a good way to accomplish the same task without using that virtual table, though even if there were, I’m not sure Virtualmin could be told to stop using it :slight_smile:

If you have any other questions, feel free to ask… have a good one!

-Eric

Hi Eric,

SSL's limitation is that you can only have one certificate per IP address.

However, if you get a wildcard or UCC SSL cert, those each allow multiple domains per certificate.

If you were to use a wildcard or UCC SSL certificate, you could have multiple Virtual Servers on one IP address all with SSL enabled. It’s just a matter of purchasing the certificate, which costs more than a cert with one domain.

Actually mod_ssl and mod_gnutls both support name-based SSL now but it can be tricky to setup. Mod_ssl is included with apache but mod_gnutls may be easier to setup.

Reference: NameBasedSSLVHostsWithSNI - HTTPD - Apache Software Foundation
Reference: http://www.outoforder.cc/projects/apache/mod_gnutls/

Just the same I’m using wildcard certificates but my hope is that maybe in the future I can save ips and be able to assign multiple unique domains to the same ip and even have ssl on them if needed.

Multi-homed virtual hosts. Have multiple IPs on the same virtual host.

I’m not sure what the use-case for that would be, but at the moment Virtualmin only supports one IP address per Virtual Server.

I want it for the virtual server I dropped for my server hostname. It is for the curious minds. Also I need to setup a reverse dns and if I want both of my ips to point to the same hostname. For that you need an A record for each IP you want to go to that hostname. If I didn’t have a virtual server setup I could just add it to DNS no problem.

Is it possible to setup the mail server to accept mail sent to a particular domain and deliver directly to local users rather than the virtual table

Hmm, I’m not sure I follow what you’re trying to get here… the only reason the virtual table exists is to tell the mail system what account to deliver the email to on a multi-domain system.

For each local user you have in a given domain, Virtualmin adds an entry for that user in /etc/postfix/virtual. I don’t know that there’d be a good way to accomplish the same task without using that virtual table, though even if there were, I’m not sure Virtualmin could be told to stop using it :slight_smile:

Hmm… This was the odd one that I wasn’t sure if was even doable. Basically I want to keep using the virtual table. That’s fine. However right now the majority of my “users” don’t even have email enabled because all that is being routed to google. On the other hand I have my hostname as a valid A record in the system and if I log into webmail using a user not in the virtual table it appends @hostname at the end automatically. Is it possible to configure postfix to accept mail for that hostname and deliver it directly to the local user?

At this point I’m just going to drop the virtual server for the hostname (slightly redundant I guess) and just add a couple of manual a records and TXT record for it so that spf passes and I get the rdns to multiple ips going. I still would like there to be some way to deliver to local users if needed even if they don’t have an email enabled for their particular domain.

I know that I can use usermin and send it to user@localhost but the hostname appears in a few other places and if someone happens to send to root@hostname I would prefer to receive it. If you can tell me how to set a manual alias that may work too. It only needs to be for root really and I already managed to reconfigure system root mail to route to my normal login instead already.

The last part here now. I setup the hostname virtual server entry mostly because I needed to get a good (non-selfsigned) certificate on for usermin, virtualmin, postfix, and dovecot. Is there any way to get new certificates onto those services quickly in the future without having to copy it from a virtual server?

P.S. - You have permission to slap me around or whatever if it was an easy resolution to that one.