Author Topic: Postfix SNI - Email SSL for each domain than Server hostname  (Read 9918 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Postfix SNI - Email SSL for each domain than Server hostname
« on: October 05, 2020, 04:53:53 PM »
What i am trying to achieve is, each domain can connect to mail server with its respective SSL domain irrespective of hostname
for e.g. abc.com connect to imap and smtp using mail.abc.com on SSL

However, whenever a client connects to mail.abc.com, the server responds with server main hostname SSL.

Please know that, http SSL certificate works fine on server hostname and abc.com properly, this issue is with e-mail.

Background:
New install of CWP with everything updated
Postfix mail_version = 3.4.7
Domain and certificate key mapping is found in File: /etc/postfix/vmail_ssl.map
Tried rebuilding mail server configuration, it doesnt work
All services are installed in CWP control panel --> SSL Certificates option

Need help with resolving this.



Offline
*****
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #1 on: October 06, 2020, 03:28:20 AM »
you need to install admin services ssl from free ssl manager. i.e.
mail.domain.com

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #2 on: October 06, 2020, 04:54:44 AM »
As I have already mentioned within Background details, all services, specifically mail is installed for each of the domain domain.

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #3 on: October 06, 2020, 11:05:13 AM »
you need to test your mail service connection, you can google for many different types of tests, like simple ones using openssl

Code: [Select]
openssl s_client -servername mail.domain.com -connect mail.domain.com:pop3s
openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp
VPS & Dedicated server provider with included FREE Managed support for CWP.
http://www.studio4host.com/

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #4 on: October 06, 2020, 07:22:12 PM »
Thanks for your response.

For the openssl commands,
openssl s_client -servername mail.domain.com -connect mail.domain.com:pop3s
This returns the server hostname instead of the client - mail.domain.com etc.

openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp
This returns the correct client domain name mail.domain.com etc.

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #5 on: October 25, 2021, 06:08:27 PM »
Hello, did you find a solution in the end?

Offline
****
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #6 on: October 25, 2021, 08:10:52 PM »
There are certain steps you need to do to get this working, starting with giving your mail record a DNS A record.

Let me know if you still need help getting this setup.

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #7 on: October 25, 2021, 08:57:48 PM »
If you can give me some guidance, at least to check that I have things right.

Offline
****
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #8 on: October 27, 2021, 02:36:39 AM »
We have it setup so the domain has:

MX 0 mail.domain.com
mail A 123.123.123.123

Then under the SSL, it has the mail service enable so it creates a mail.domain.com

That should be all.

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #9 on: June 25, 2022, 04:41:28 PM »
Did you manage to resolve the situation?
I'm in the same dilemma, I configured the server and everything is working ok, but with only 1 domain. When I create another domain, I generate SSL certificate for mail but when configuring outlook it doesn't work and in the test https://www.checktls.com/TestReceiver it shows me in the certificate in the cert table it shows failed. Any solution or tip?

Offline
****
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #10 on: June 25, 2022, 05:28:43 PM »
Do you have your MX and mail A record correctly setup as above?

You can check it at, once everything is configured correctly: https://www.mail-tester.com/

Offline
*
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #11 on: June 27, 2022, 08:55:37 AM »
Thanks for answering.
About having the MX and mail A record set up correctly as above?
Yes, we did. Finally, we solved it like this:
Step 1: Comment out the first two lines and add the following lines to /etc/postfix/main.cf:

smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
provide the primary certificate to the server, to be used for outbound connections

smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
** Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
Restart Postfix. Anyway, our SNI service was not configured correctly. As soon as I get another VPS I'll do a step by step on this service that we use a lot here. We still have some clients that use Outlook and other email managers, so we need to run over SSL to be a little more secure. The most difficult thing here in my case was to find out about the SNI service, then it was just a matter of paying close attention to the process.

Offline
****
Re: Postfix SNI - Email SSL for each domain than Server hostname
« Reply #12 on: June 27, 2022, 12:35:53 PM »
Glad you found a fix for your system. But you listed only SMTP, not about POP/IMAP.

Thankfully we didn't need to do all that on any of our servers.

Our clients use a mix of Outlook, Windows Mail, and Thunderbird (What we recommend).
All with SSL/TLS on incoming & outgoing emails your their own domain names.