> On Dec 17, 2016, at 6:33 AM, Mark Constable <ma...@renta.net> wrote: > > a) how to make postfix listen for different domains on different IPs? > > b) how to configure separate SSL certs for each of these IPs?
The postfix master.cf(5) file (see <http://www.postfix.org/master.5.html>) supports multiple "inet" service instances: inet The service listens on a TCP/IP socket and is accessible via the network. The service name is specified as host:port, denoting the host and port on which new connections should be accepted. The host part (and colon) may be omitted. Either host or port may be given in symbolic form (see hosts(5) or services(5)) or in numeric form (IP address or port number). Host information may be enclosed inside "[]"; this form is necessary only with IPv6 addresses. Examples: a service named 127.0.0.1:smtp or ::1:smtp receives mail via the loopback interface only; and a ser- vice named 10025 accepts connections on TCP port 10025 via all interfaces configured with the inet_interfaces parameter. Note: with Postfix version 2.2 and later specify "inet_interfaces = loopback-only" in main.cf, instead of hard-coding loopback IP address information in master.cf or in main.cf. Once you have per-IP instances of "<ip>:smtp inet ... smtpd" (or postscreen), you can customize the behaviour of these instances via "-o parameter=value" options. In the case of smtpd(8), you can override the "smtpd_tls_cert_file" and "smtpd_tls_key_file" parameters to select the appropriate per-IP certificate chain and private key. A common practice is to use: -o smtpd_tls_cert_file=$example_com_cert_file and the like with the actual values in main.cf: example_com_cert_file = ${config_directory}/example.com.pem In the case of postscreen(8), you'd associate each postscreen(8) instance with a corresponding "smtpd-example.com pass .. smtpd" instance via: -o smtpd_service_name=smtpd-example.com And configure each "smtpd-<instance_name> pass ... smtpd" service with overrides as above. You'll also need a per-instance "tlsproxy" service configured via -o tlsproxy_service_name=tlsproxy-example.com and a corresponding "tlsproxy-example.com unix ... tlsproxy" service with cert_file/key_file overrides. This is needed to allow the proxy to capture the message envelope for logging of connections that are rejected and/or doing "deep protocol tests". The tlsproxy overrides are: -o tlsproxy_tls_cert_file=... -o tlsproxy_tls_key_file=... Good luck. My advice is to use a single MX hostname to serve multiple domains, and avoid all this needless complexity. * Just one certificates to manage * No need to use up an IP address per domain * Much simpler DANE support if you decide to do that * Much simpler configuration Seriously, *DO NOT* needlessly use separate names for the MX hosts of domains served by a shared underlying set of servers. That said, there is a more reasonable use case for separate domain names for co-hosted port 587/465 submission services. In that case the more complex postcreen scenario is out of scope and the per-IP services are for ports 587/465. The above should be sufficient to get you under way. -- -- Viktor.
