On Jan 1, 2021, 8:53 PM, at 8:53 PM, Bob Proulx <[email protected]> wrote:
>Mayuresh wrote:
>> I am faced with a requirement to merge the mail servers running on 2
>VPSes
>> into 1, with a single ip address on NetBSD 9.1 amd64.
>
>Generally this should not be a problem for a single server to handle
>email for multiple domains. Assuming that one FQDN is chosen to be
>the exit node. Then all is easy and straight forward.
>
>> I searched around, mainly tls certificate of both domains being
>different
>> looks a bit gray to me. Some posts say it is possible, while some
>cite
>> issues with it.
>
>STARTTLS for SMTP is opportunistic unless specifically configured for
>the point-to-point connection between sites. Therefore most SMTP
>servers use a self-signed certificate by default and without validity
>checking. Many use CA valid certificates because that is also easy to
>set up. But for the most part SMTP is not a high security transfer
>protocol when connecting between random servers. Only when
>specifically configured between two cooperating servers.
>
>In any case the authoritative documentation is better than any summary
>I might make.
>
> http://www.postfix.org/TLS_README.html
>
>> I can get into experimenting, but thought of getting a word of advice
>on
>> the overall idea, feasibility, alternatives etc.
>
>I think you are asking if you can make one IP address appear as if it
>is the two original servers.
>
> http://www.postfix.org/MULTI_INSTANCE_README.html
>
>At some level of outbound direction traffic that is possible, but my
>opinion is that it is not worth the effort. And not for the inbound
>direction. That would require multiple IP addresses and binding to
>the specific one individually. One of those questions where "if you
>have to ask, then you shouldn't do it" types of things.
>
>Instead I would configure one server that can handle multiple domains.
>
> http://www.postfix.org/VIRTUAL_README.html
>
>> If performance isn't critical, purely from networking point of view,
>would
>> it be possible to run one of the domains in a VM so that both postfix
>> instances can be watertight.
>
>> Alternatively if getting 2 ip addresses is considered as an option
>would
>> it ease anything?
>
>Running VMs with their own address would make them look exacty like
>different hosts. And the extra layers would add to the security.
>
>Postfix is very secure in a standard configuration.
>
>> [Similar question would arise for http, but as of now one domain uses
>http
>> and the other uses https, so that should be manageable.]
>
>My opinion is that this just sets things up to be a problem later when
>the one domain that uses http decides that https is now needed. And
>for when the https domain decides that they would like to switch to
>Domain Validation certificates using Let's Encrypt on http.
>
>SNI for HTTP is very well supported now. I would just use one host,
>one IP, and multiple HTTP Virtual Hosts.
>
>Bob
