Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - uxs

Pages: [1]
1
E-Mail / postfix SNI
« on: August 23, 2021, 02:38:26 PM »
After giving my CWP Server SNI for dovecot (see here https://forum.centos-webpanel.com/index.php?topic=11155.0) I worked on doing the same for postfix. Same OS/Environment: proxmox lxc container with centos 8

First we need to set up Postfix with a basic cert which kicks in when no SNI is triggered.
I used the self signed cert which was already there after setting up CWP:

/etc/pki/tls/certs/mailer.cwpserver.eu.crt
 /etc/pki/tls/certs/ca-bundle.crt


and combined it in:
cat /etc/pki/tls/certs/mailer.cwpserver.eu.crt /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/mailer.cwpserver.eu.full_chain.pem

That last pem and the key file you add at the end of /etc/postfix/main.cf:
...
smtpd_tls_chain_files = /etc/pki/tls/private/mailer.cwpserver.eu.key /etc/pki/tls/certs/mailer.cwpserver.eu.full_chain.pem

additionally we also add in main.cf the file for SNI:
tls_server_sni_maps = hash:/etc/postfix/sni

In that file (/etc/postfix/sni) you add your domains and the keys and certs like this
<domain><key><certs>
e.g.
domain2.eu /etc/pki/tls/private/domain2.eu.key /etc/pki/tls/certs/domain2.eu.fullchain

domain2.eu.fullchain is created via:
cd /etc/pki/tls/certs/
cat domain2.eu.cert domain2.eu.bundle > domain2.eu.fullchain


finally you have to create the map:
postmap -F hash:/etc/postfix/sni

and restart postfix:
service postfix restart

like with dovecot it is not automatically renewed - I am working on some scripts to do that in the future


2
Dovecot / dovecot SNI
« on: August 11, 2021, 04:41:29 PM »
If you want to add SNI to your dovecot configuration:
(this was made on a proxmox lxc container with centos 8 )

my dovecot configuration didn't include the files in /etc/dovecot/conf.d but there are about 30 files which I didn't want to include to avoid breaking other things. so I created a new directory:
mkdir /etc/dovecot/myconf.d
then added a line to the end of  /etc/dovecot/dovecot.conf:
!include myconf.d/*.conf

in /etc/dovecot/myconf.d you create a file which will reference the certs for one of your domains:
I did:
cd /etc/dovecot/myconf.d
vi 14-domain2.conf

and the file looks like this:
local_name domain2.eu {
  ssl_cert = </etc/pki/tls/certs/domain2.eu.pem
  ssl_key = </etc/pki/tls/certs/domain2.eu.pem
}


the file /etc/pki/tls/certs/domain2.eu.pem doesnt exist yet, you can create it like this:
cat /etc/pki/tls/private/domain2.eu.key /etc/pki/tls/certs/domain2.eu.cert /etc/pki/tls/certs/domain2.eu.bundle > /etc/pki/tls/certs/domain2.eu.pem

thats probably not the most elegant way, but it works ;)
also when the lets encrypt certs are renewed, you have to renew the *.pem files manually
will check if there is a more automatic way...
any suggestions welcome.

Pages: [1]