Re: Multiple TLS certificates on multiple IPs
However, I just realized that I actually might not need to change the domain. The -o overrides I need may only be the smtpd_tls_* settings. I was just concerned about name mismatches with the certificate, but whatever postfix thinks is the domain shouldn't affect the client's matching the domain name in the certificate itself to the domain it used to connect. Therefore, perhaps this proposal would NOT be outside the scope of what you find acceptable? 1.2.3.4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key Just wanted to confirm with the list that this does in fact work... and work beautifully. :-) It also works for smtps and submission services as well. Very cool. Wietse: I see no multiple settings for the same host/domain parameters here. Right, I was hoping this was more acceptable for official use. Wietse: Postfix also needs to know that it is final destination for [1.2.3.4], [4.3.2.1] and for all the corresponding domain names, otherwise mail for those destinations will loop. You need to list 1.2.3.4 and 4.3.2.1 in main.cf:proxy_interfaces if those addresses don't already match main.cf:inet_interfaces, and you need to list all the corresponding host/domain names in mydestination, if those host/domain names aren't already listed in virtual_{alias,mailbox}_maps. Right. I already have all those things set up, as it works fine listening on the machine with the single TLS certificate for all interfaces and domains. Seems like this will work, then. Thanks VERY VERY much for your patience, support and the great wonderful software and hard work you give to the world!
Re: Multiple TLS certificates on multiple IPs
email builder a écrit : [snip] I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. you can use multiple postfix instances (run postfix multiple times, with different config_directory, queue_directory, data_directory...).
Re: Multiple TLS certificates on multiple IPs
Wietse: I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). email builder: That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. Please, DO NOT share details of unsupported configurations. Postfix internals are being updated on an ongoing basis and I don't need the support load from people who find that your stuff no longer works. Wietse
Re: Multiple TLS certificates on multiple IPs
email builder a écrit : [snip] I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. you can use multiple postfix instances (run postfix multiple times, with different config_directory, queue_directory, data_directory...). I know, but my thinking was that it's overkill because all I need is to serve a different TLS cert for each IP address, but no other changes are needed.
Re: Multiple TLS certificates on multiple IPs
I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). email builder: That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. Please, DO NOT share details of unsupported configurations. Postfix internals are being updated on an ongoing basis and I don't need the support load from people who find that your stuff no longer works. Alright, I understand. However, I just realized that I actually might not need to change the domain. The -o overrides I need may only be the smtpd_tls_* settings. I was just concerned about name mismatches with the certificate, but whatever postfix thinks is the domain shouldn't affect the client's matching the domain name in the certificate itself to the domain it used to connect. Therefore, perhaps this proposal would NOT be outside the scope of what you find acceptable? 1.2.3.4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key
Re: Multiple TLS certificates on multiple IPs
Wietse: I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). email builder: That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. Wietse: Please, DO NOT share details of unsupported configurations. Postfix internals are being updated on an ongoing basis and I don't need the support load from people who find that your stuff no longer works. email builder: Alright, I understand. However, I just realized that I actually might not need to change the domain. The -o overrides I need may only be the smtpd_tls_* settings. I was just concerned about name mismatches with the certificate, but whatever postfix thinks is the domain shouldn't affect the client's matching the domain name in the certificate itself to the domain it used to connect. Therefore, perhaps this proposal would NOT be outside the scope of what you find acceptable? 1.2.3.4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key I see no multiple settings for the same host/domain parameters here. Postfix also needs to know that it is final destination for [1.2.3.4], [4.3.2.1] and for all the corresponding domain names, otherwise mail for those destinations will loop. You need to list 1.2.3.4 and 4.3.2.1 in main.cf:proxy_interfaces if those addresses don't already match main.cf:inet_interfaces, and you need to list all the corresponding host/domain names in mydestination, if those host/domain names aren't already listed in virtual_{alias,mailbox}_maps. Wietse
Re: Multiple TLS certificates on multiple IPs
Wietse: I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). email builder: That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. Wietse: Please, DO NOT share details of unsupported configurations. Postfix internals are being updated on an ongoing basis and I don't need the support load from people who find that your stuff no longer works. email builder: Alright, I understand. However, I just realized that I actually might not need to change the domain. The -o overrides I need may only be the smtpd_tls_* settings. I was just concerned about name mismatches with the certificate, but whatever postfix thinks is the domain shouldn't affect the client's matching the domain name in the certificate itself to the domain it used to connect. Therefore, perhaps this proposal would NOT be outside the scope of what you find acceptable? 1.2.3.4:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key Wietse: I see no multiple settings for the same host/domain parameters here. Right, I was hoping this was more acceptable for official use. Wietse: Postfix also needs to know that it is final destination for [1.2.3.4], [4.3.2.1] and for all the corresponding domain names, otherwise mail for those destinations will loop. You need to list 1.2.3.4 and 4.3.2.1 in main.cf:proxy_interfaces if those addresses don't already match main.cf:inet_interfaces, and you need to list all the corresponding host/domain names in mydestination, if those host/domain names aren't already listed in virtual_{alias,mailbox}_maps. Right. I already have all those things set up, as it works fine listening on the machine with the single TLS certificate for all interfaces and domains. Seems like this will work, then. Thanks VERY VERY much for your patience, support and the great wonderful software and hard work you give to the world!
Re: Multiple TLS certificates on multiple IPs
email builder: Hello, I have two IP addresses on my server and would like to serve a different SSL (TLS) certificate for each one. I think all the other configuration will not need to differ between the two, so I think running multiple instances of postfix would be overkill (?). I want to confirm that it would be possible/viable/advisable to simply create two smtpd processes in master.cf: 1.2.3.4:smtp inet n - n - - smtpd -o myhostname=mail.domainA.com -o mydomain=domainA.com -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o myhostname=mail.domainB.com -o mydomain=domainB.com -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key The rest of Postfix needs to know where it should deliver mail for mail.domainB.com, domainB.com, mail.domainA.com, and domainA.com. Otherwise, the Postfix SMTP server will reject mail with relay access denied, and the Postfix SMTP client will reject mail with that mail loops back to myself. Note that the Postfix SMTP server does not make all decisions by itself. It relies on the trivial-rewrite service to decide how a domain should be handled. There is no official support for multiple domain personalities. Wieste
Re: Multiple TLS certificates on multiple IPs
I have two IP addresses on my server and would like to serve a different SSL (TLS) certificate for each one. I think all the other configuration will not need to differ between the two, so I think running multiple instances of postfix would be overkill (?). I want to confirm that it would be possible/viable/advisable to simply create two smtpd processes in master.cf: 1.2.3.4:smtp inet n - n - - smtpd -o myhostname=mail.domainA.com -o mydomain=domainA.com -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o myhostname=mail.domainB.com -o mydomain=domainB.com -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key The rest of Postfix needs to know where it should deliver mail for mail.domainB.com, domainB.com, mail.domainA.com, and domainA.com. Oh, perhaps I didn't make it clear that I have a whole bunch of other configuration in main.cf, which includes MySQL lookups for transport_maps and virtual_mailbox_maps. On a single IP address with one TLS certificate, it routes/accepts mail for domainA and domainB as needed. My assumption above is that as long as I don't override all the settings that make my mail delivery work with one IP/TLS certificate, I can just change what TLS certificate is offered up for each of my IP addresses. Otherwise, the Postfix SMTP server will reject mail with relay access denied, and the Postfix SMTP client will reject mail with that mail loops back to myself. Does my clarification above change your opinion about this? Why wouldn't mail for domainA and domainB be treated the same as before (when using just one IP/TLS cert) if I don't override any other settings? Note that the Postfix SMTP server does not make all decisions by itself. It relies on the trivial-rewrite service to decide how a domain should be handled. There is no official support for multiple domain personalities. Right, I understand this is not as much a domain personality as it is a per-IP change. Thanks so very, very much.
Re: Multiple TLS certificates on multiple IPs
email builder: I have two IP addresses on my server and would like to serve a different SSL (TLS) certificate for each one. I think all the other configuration will not need to differ between the two, so I think running multiple instances of postfix would be overkill (?). I want to confirm that it would be possible/viable/advisable to simply create two smtpd processes in master.cf: 1.2.3.4:smtp inet n - n - - smtpd -o myhostname=mail.domainA.com -o mydomain=domainA.com -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o myhostname=mail.domainB.com -o mydomain=domainB.com -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key The rest of Postfix needs to know where it should deliver mail for mail.domainB.com, domainB.com, mail.domainA.com, and domainA.com. Oh, perhaps I didn't make it clear that I have a whole bunch of other conf -iguration in main.cf, which includes MySQL lookups for transport_maps and vi -rtual_mailbox_maps. On a single IP address with one TLS certificate, it rou -tes/accepts mail for domainA and domainB as needed. My assumption above is -that as long as I don't override all the settings that make my mail delivery - work with one IP/TLS certificate, I can just change what TLS certificate is - offered up for each of my IP addresses. Otherwise, the Postfix SMTP server will reject mail with relay access denied, and the Postfix SMTP client will reject mail with that mail loops back to myself. Does my clarification above change your opinion about this? Why wouldn't -mail for domainA and domainB be treated the same as before (when using just -one IP/TLS cert) if I don't override any other settings? I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). Wietse Note that the Postfix SMTP server does not make all decisions by itself. It relies on the trivial-rewrite service to decide how a domain should be handled. There is no official support for multiple domain personalities. Right, I understand this is not as much a domain personality as it is a -per-IP change. Thanks so very, very much.
Re: Multiple TLS certificates on multiple IPs
I have two IP addresses on my server and would like to serve a different SSL (TLS) certificate for each one. I think all the other configuration will not need to differ between the two, so I think running multiple instances of postfix would be overkill (?). I want to confirm that it would be possible/viable/advisable to simply create two smtpd processes in master.cf: 1.2.3.4:smtp inet n - n - - smtpd -o myhostname=mail.domainA.com -o mydomain=domainA.com -o smtpd_tls_cert_file=/etc/postfix/domainA.crt -o smtpd_tls_key_file=/etc/postfix/domainA.key 4.3.2.1:smtp inet n - n - - smtpd -o myhostname=mail.domainB.com -o mydomain=domainB.com -o smtpd_tls_cert_file=/etc/postfix/domainB.crt -o smtpd_tls_key_file=/etc/postfix/domainB.key The rest of Postfix needs to know where it should deliver mail for mail.domainB.com, domainB.com, mail.domainA.com, and domainA.com. Oh, perhaps I didn't make it clear that I have a whole bunch of other conf -iguration in main.cf, which includes MySQL lookups for transport_maps and vi -rtual_mailbox_maps. On a single IP address with one TLS certificate, it rou -tes/accepts mail for domainA and domainB as needed. My assumption above is -that as long as I don't override all the settings that make my mail delivery - work with one IP/TLS certificate, I can just change what TLS certificate is - offered up for each of my IP addresses. Otherwise, the Postfix SMTP server will reject mail with relay access denied, and the Postfix SMTP client will reject mail with that mail loops back to myself. Does my clarification above change your opinion about this? Why wouldn't -mail for domainA and domainB be treated the same as before (when using just -one IP/TLS cert) if I don't override any other settings? I do not support configurations with multiple myhostname/mydomain settings (or multiple settings for any domain-like parameter that determines how Postfix handles email). That's certainly fair. I can accept that I am stepping outside the use model with this and that maybe the sure bet would be to run multiple instances. I will, however, endeavor to test my idea and report back for others' edification if it works or not. Thank you, Wietse. Note that the Postfix SMTP server does not make all decisions by itself. It relies on the trivial-rewrite service to decide how a domain should be handled. There is no official support for multiple domain personalities. Right, I understand this is not as much a domain personality as it is a -per-IP change. Thanks so very, very much.