LaoBlog

Linux Drupal Pinephone Freerunner Android

Messaggi di Aprile 2024

Multiple ssl certificates for Postfix &Dovecot with Let's Encrypt

Post n°81 pubblicato il 02 Aprile 2024 da taichung

Tag: dovecot, email, letsencrypt, postfix

In the need of configuring my email server with 2 different domains (not subdomains), therefore with 2 different ssl certificates, I found out it is possible to use let's engrypt certificates (which I already have and use for other services). I assume that Let's encrypt certificates are installed in the default folder /etc/letsencrypt/live/domain_name/
I use the same domain's certificate for both Postfix and Dovecot. In other words, for example I would have:
- example.net.pem for Postfix and Dovecot of example.net domain,
- example.com.pem for Postfix and Dovecot of example.com domain,

For Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf by adding a default server and anotherone (or 2, 3...):

# Default mail server: "example.net"
ssl_cert = ssl_key =
# 2nd mail server: "example.com"
local_name mail.example.it {
ssl_cert = ssl_key = }

For Postfix > 3.4.0, you need to modify /etc/postfix/main.cf . Comment out if you have already a single let's encrypt ssl certificate the 2 lines which look like the following:
#smtp_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
#smtp_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem

then add the following:
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
/etc/letsencrypt/live/example.net/privkey.pem,
/etc/letsencrypt/live/example.net/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Save the file and then create the new file /etc/postfix/vmail_ssl.map, where you have to write the following:

# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line, for 2nd, 3rd ecc mail servers. Don't write here the default mail server!
example.com
/etc/letsencrypt/live/example.com/privkey.pem
/etc/letsencrypt/live/example.com/fullchain.pem

Save and exit, then run

$ postmap -F hash:/etc/postfix/vmail_ssl.map
You need to rune the above command every time that the certificate changes, that is, when you renew it.

At the end restart postfix, dovecot and saslauthd services
Test the new configuration with:
$ openssl s_client -connect localhost:25 -servername example.com -starttls smtp

and with:
$ openssl s_client -connect localhost:25 -servername example.net -starttls smtp

Sources:
https://serverfault.com/questions/920436/set-up-certs-for-multiple-domains-in-postfix-and-dovecot
https://serverfault.com/questions/928926/postfix-multi-domains-and-multi-certs-on-one-ip
http://www.postfix.org/postconf.5.html#tls_server_sni_maps

Trackback: 0 - Scrivi Commento - Commenti: 0