Re: Different SSL certificate per virtual domain

[Peter]

On 2/06/19 7:07 PM, Durga Prasad Malyala wrote:

Option-2
or (1.1) use repo like Remi - Dont know the impact on other packages.
I don't want any other package to be impacted un-neccesarily.


Assuming you're referring to CentOS 7 you can get them from GhettoForge 
(GhettoForge has postfix 3.3 for CentOS 6 but due to a newer openssl 
requirement will not have 3.4 or newer.


Postfix 3.4 is currently in the gf-testing repo, although I have plans 
to move them to gf-plus later this week:


Unfortunately the GF main site is currently down (working on it) but the 
mirror and repository are working.  There are google cache copies 
available for the relevant pages that you will need from the site:


http://webcache.googleusercontent.com/search?q=cache:A5RZ0nG5UP0J:ghettoforge.org/index.php/Usage+=1=en=clnk=nz=firefox-b-e

http://webcache.googleusercontent.com/search?q=cache:JmE1tzw6qqYJ:ghettoforge.org/index.php/Postfix3+=1=en=clnk=nz=firefox-b-e

With this version you will have SNI support.


Peter

Re: Different SSL certificate per virtual domain

[Kris Deugau]

Viktor Dukhovni wrote:

Google and Microsoft deliver outbound mail for hundreds
of thousands of domains from a common pool of outbound
names.  Nobody seems to mind.


Some of us do mind, but there's really nothing we can do about it 
because any spam-control measures we might try would block far too much 
mail that our customers want to receive.


Realistically, many other mail systems also relay mail on behalf of many 
apparently unrelated domains;  it's rare to have a valid use case for 
really truly requiring mail for a given domain to be (apparently) 
running on its own dedicated system.


-kgd

Re: Different SSL certificate per virtual domain

[Viktor Dukhovni]

> On Jun 2, 2019, at 8:10 AM, Wietse Venema  wrote:
> 
>> Assuming I want to go the safer older way of using stock RPMs form the
>> distribution (Centos in this case) and use two different IPs for the
>> postfix instance - then ideally while sending outgoing mail I have to
>> ensure that the mails go out from the respective IP of that domain
>> right.
> 
> If you can use separate IP addresses, then you do not need SNI.

And there's no need to restrict outbound traffic to separate IPs:

; DNS data from various zone files
;
mail.primary.example. IN A 192.0.2.1
mail.primary.example. IN A 192.0.2.2
1.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
2.2.0.192.in-addr.arpa. IN PTR mail.primary.example.
;
; Ideally, just use mail.primary.example as the MX host
; for all the domains!  Per-domain MX host names are
; more trouble than they're worth!  Then just get a
; certificate for mail.primary.example. and be done.
;
virtual1.example. IN MX mail.virtual1.example.
mail.virtual1.example. IN A 192.0.2.1
;
; See above
;
virtual2.example. IN MX mail.virtual2.example.
mail.virtual2.example. IN A 192.0.2.2

but, if you must have per-domain MX hosts, you can still
have a single certificate for all the names, and avoid SNI.
But, if for some unexpectedly compelling reason you MUST
have separate certificates, then go ahead, but use a single
underlying hostname as "smtp_helo_name = $myhostname", and
map the PTRs for both IPs to that name, just in case some
anti-abuse systems get very picky and want your HELO name
to match the PTR.

Splitting the outbound traffic is a lot more work, since
then you need two separate Postfix instances each with
its own smtp_bind_address, rather than just two separate
entries in master.cf for inbound traffic, if a single
outbound "personality" is enough.

Google and Microsoft deliver outbound mail for hundreds
of thousands of domains from a common pool of outbound
names.  Nobody seems to mind.

-- 
Viktor.

Re: Different SSL certificate per virtual domain

[Wietse Venema]

Durga Prasad Malyala:
> Option-3
> Assuming I want to go the safer older way of using stock RPMs form the
> distribution (Centos in this case) and use two different IPs for the
> postfix instance - then ideally while sending outgoing mail I have to
> ensure that the mails go out from the respective IP of that domain
> right.

If you can use separate IP addresses, then you do not need SNI.

Wietse

Re: Different SSL certificate per virtual domain

[Durga Prasad Malyala]

On Sun, 2 Jun 2019 at 02:02, Viktor Dukhovni  wrote:
>
> On Sat, Jun 01, 2019 at 06:24:27PM +0530, Durga Prasad Malyala wrote:
>
> > I've googled but a bit confused.
> > I have a server with an IP hosting two different virtual domains.
> > Both domains need to have their individual SSL certificate like
> > mail.domain1.com and mail.domain2.com to download and send the same.
> > Is it possible in Postfix if I have only one public IP and achieve same?
> > Can you guide me to some links if possible.
>
> This requires at least Postfix 3.4, which is the latest stable
> Postfix release.  You may need to build Postfix 3.4.5 from source,
> if your O/S does not provide a Postfix 3.4.5 package (O/S packages
> may call it 3.4.0, even when patches 1–5 are applied).
>
> --
> Viktor.

Thanks Viktor.
I'm debating whether to stick to the RPM way of things.  To summarise
- we have Three options.
Option-1
(1) Install by compiling Latest version of Postfix from source. I got
burned in the past while upgrading other software since the
dependencies gave lot of trouble. so this is my lease preferred mode.
Also due to many frequent security related updates now-a-days - I
generally prefer this the least.
Option-2
or (1.1) use repo like Remi - Dont know the impact on other packages.
I don't want any other package to be impacted un-neccesarily.
Option-3
Assuming I want to go the safer older way of using stock RPMs form the
distribution (Centos in this case) and use two different IPs for the
postfix instance - then ideally while sending outgoing mail I have to
ensure that the mails go out from the respective IP of that domain
right.
I've found these documents - is this OK?
https://lxadm.com/Postfix_and_multiple_SSL_certificates
https://www.kutukupret.com/2010/01/02/postfix-bind-sender-domain-to-dedicated-outgoing-ip-address/

If someone can comment on these three options maybe I can document
this somewhere for future and reference to others.

- Regards
DP

Re: Different SSL certificate per virtual domain

[Viktor Dukhovni]

On Sat, Jun 01, 2019 at 06:24:27PM +0530, Durga Prasad Malyala wrote:

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.

This requires at least Postfix 3.4, which is the latest stable
Postfix release.  You may need to build Postfix 3.4.5 from source,
if your O/S does not provide a Postfix 3.4.5 package (O/S packages
may call it 3.4.0, even when patches 1–5 are applied).

-- 
Viktor.

Re: Different SSL certificate per virtual domain

[Durga Prasad Malyala]

Thank you.
Let me check and get back to you.

Cheers/DP

On Sat, Jun 1, 2019, 18:39 Matt Anton  wrote:

> On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:
>
> > Hello All,
>
> Hello,
>
> > I've googled but a bit confused.
> > I have a server with an IP hosting two different virtual domains.
> > Both domains need to have their individual SSL certificate like
> > mail.domain1.com and mail.domain2.com to download and send the same.
> > Is it possible in Postfix if I have only one public IP and achieve same?
> > Can you guide me to some links if possible.
> > Thanks/DP
>
> postconf’s manage has all you need to know to implement SNI support: <
> http://www.postfix.org/postconf.5.html#tls_server_sni_maps>
>
> But if this isn’t enough, there were in march 2019 excellent posts by
> Viktor and MK on the list detailing what’s to be done to achieve this:
>
> Viktor’s quote: <
> http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-tp100786p100802.html
> >
>
> MK’s quote: <
> http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819
> >
>
> hth
>
> --
> matt [at] lv223.org
> GPG key ID: 7D91A8CA
>

Re: Different SSL certificate per virtual domain

[Matt Anton]

On 1 Jun 2019, at 14:54, Durga Prasad Malyala wrote:

> Hello All,

Hello,

> I've googled but a bit confused.
> I have a server with an IP hosting two different virtual domains.
> Both domains need to have their individual SSL certificate like
> mail.domain1.com and mail.domain2.com to download and send the same.
> Is it possible in Postfix if I have only one public IP and achieve same?
> Can you guide me to some links if possible.
> Thanks/DP

postconf’s manage has all you need to know to implement SNI support: 


But if this isn’t enough, there were in march 2019 excellent posts by Viktor 
and MK on the list detailing what’s to be done to achieve this:

Viktor’s quote: 


MK’s quote: 


hth

-- 
matt [at] lv223.org
GPG key ID: 7D91A8CA


signature.asc
Description: OpenPGP digital signature

Different SSL certificate per virtual domain

[Durga Prasad Malyala]

Hello All,
I've googled but a bit confused.
I have a server with an IP hosting two different virtual domains.
Both domains need to have their individual SSL certificate like
mail.domain1.com and mail.domain2.com to download and send the same.
Is it possible in Postfix if I have only one public IP and achieve same?
Can you guide me to some links if possible.
Thanks/DP