How Do I Configure Multiple Domains and SSLs With Postfix?

Updated on 17 March 2020: Updated original documentation to include information from this thread → 6 - Self-signed SSL error on Outlook/Thunderbird - CyberPanel

In line with this post:

And this:

http://techslides.com/mail-server-for-multiple-domains-with-postfix

… I am trying to set up Postfix to allow multiple domain names and SSLs for the incoming mail server.

The issue arises when I try testing a secondary domain with this service:

https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=mail.secondarydomain.com

Unfortunately, it only defaults to my server’s main mail server’s SSL (mail.maindomain.com) and I would like it to switch to the appropriate one so the SSL certificate match-up test passes. What is considered best practice to do this with CyberPanel?

PS: Postfix now supports SNI. :wink:

PPS:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029

I see that CyberPanel currently has Postfix configured with smtpd_tls_cert_file and smtpd_tls_key_file. Per the documentation, however, with Postfix 3.4 and later, using the smtpd_tls_chain_files parameter is now the official preferred way:

http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
http://www.postfix.org/postconf.5.html#smtp_tls_key_file
http://www.postfix.org/postconf.5.html#smtp_tls_chain_files

I got it working! @CyberPanel, let me know if you need help implementing this in the next release. It’s quite simple. Just follow what the user suggests here and it works perfectly:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029

I no longer have to use a custom MX record with my secondary domain!

Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:


smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

provide the primary certificate for the server, to be used for outgoing connections

smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

provide the map to be used when SNI support is enabled

tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:


Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating

One host per line

mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem

add more domains with keys and certs as needed


Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.

Step 4: Run systemctl restart postfix.

Step 5: Now test your domains’ SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp

1 Like

@Hifihedgehog thats a great job I was looking for this for so long!

I tried with 2 setup 1 fresh the other on my production server.

  1. Fresh server even though I created Mail and normal ssl folder for /etc/letsencrypt/live/ is empty.

  2. For production server I dont have any folder for mail.xxx its only for main domains.

Do you have any idea what went wrong with my setup ? or how can I fix ?

Thanks!

Actually, everything’s working and nothing’s the matter. If you are on any version of CyberPanel prior to 1.9.4, the mail domains are not created by default so you will need to create subdomains for them in CyberPanel and get SSLs/Let’s Encrypt for each of them. Only new apex/root domains created after installing CyberPanel 1.9.4 will automatically add the .mall subdomain and get the .mail SSL certificate for you. Hope that helps!

I am going to read through your efforts now, thanks.

As you suggested created mail.xx subdomain with SSL.

Then followed by the end and all worked fine with the code you provided as well SSL handshake made without any issues.

Then I tried to add it to outlook. Unfortunatelly mail.xxx couldnt create an SSL connection. The certificate still shows as original mail server primary domain.

Can you try to connect via outlook etc with ssl and let me know if it works ?

Many thanks in advance!

@Hifihedgehog this step goes for mail.domain.com or the actual top level domain such as domain.com ?

For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.

@Hifihedgehog

Sent you a message on CP Slack.

ok, I did some debugging and postfix conf need SSL for hostname domain such as mail.domain.com in this case.

Added to v1.9.4 → feature: SNI support for postfix · usmannasir/cyberpanel@e9a8e34 · GitHub

@CyberPanel

I just tested below 2 comment wasnt commented out after upgrade, the rest was ok.


smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

Also primary domain ssl wasnt registered on /etc/postfix/vmail_ssl.map as @Hifihedgehog mentioned.

However even after I followed exactly as mentioned, I cant connect with outlook or any othersoftware.

What I did:

I created 2 domains (a.com b.com)

Created SSL for a.com and mailserver ssl for mail.a.com

Restarted vm.

Tried to login using outlook it with mailserver mail.b.com. SSL couldnt found.

Generated MAIL ssl for mail.b.com then it worked ofcourse.

Then I generated again for mail.a.com then it stopped working again for mail.b.com.

Seems like original cyberpanel setup no changes.

Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.

Thank you!

@usmannasir said:
I am going to read through your efforts now, thanks.

You’re welcome! Sorry for missing your replies on Slack. Glad it seems to have worked out well!

@Zalcig said:

Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.

Thank you!

Yes, it does. Confirmed with both Outlook desktop (Windows) and Outlook mobile (iOS).

@CyberPanel said:
@Hifihedgehog this step goes for mail.domain.com or the actual top level domain such as domain.com ?

For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.

Yep, I used the mail. subdomain. :slight_smile:

@Zalcig:

You are getting an insecure message because your server is failing to pick up the certificates for one reason or another. Some possibilities:

  1. You don’t have this correct in your Postfix main.cf configuration file:

smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem

smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

provide the primary certificate for the server, to be used for outgoing connections

smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

  1. You need to renew your mail server SSL certificate because either (a) you made too many renewal requests and therefore you are locked out and will have to wait a couple days before being able or (b) it is outdated.

Because of this discussion Starting from 1.9.4 cyberpanel automatically creating child domain and sub-folder under public_html.

I have a suggestion - I talked about that on discord too
add context-wrapper to child-domain OR make it dedicated to mail domains
something like this:

#add context rule to any mail child-domain (under VH_ROOT)
context /.well-known-wrapper {
location $VH_ROOT/.well-known-wrapper
allowBrowse 1
}

#point the verification to the virtual place
./acme.sh --issue -d mail.example.com -w /home/example.com/.well-known-wrapper

done. we have ssl verification without sub-folder under public_html