Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - uxs

Pages: [1]
E-Mail / postfix SNI
« on: August 23, 2021, 02:38:26 PM »
After giving my CWP Server SNI for dovecot (see here I worked on doing the same for postfix. Same OS/Environment: proxmox lxc container with centos 8

First we need to set up Postfix with a basic cert which kicks in when no SNI is triggered.
I used the self signed cert which was already there after setting up CWP:


and combined it in:
cat /etc/pki/tls/certs/ /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/

That last pem and the key file you add at the end of /etc/postfix/
smtpd_tls_chain_files = /etc/pki/tls/private/ /etc/pki/tls/certs/

additionally we also add in the file for SNI:
tls_server_sni_maps = hash:/etc/postfix/sni

In that file (/etc/postfix/sni) you add your domains and the keys and certs like this
e.g. /etc/pki/tls/private/ /etc/pki/tls/certs/ is created via:
cd /etc/pki/tls/certs/
cat >

finally you have to create the map:
postmap -F hash:/etc/postfix/sni

and restart postfix:
service postfix restart

like with dovecot it is not automatically renewed - I am working on some scripts to do that in the future

Dovecot / dovecot SNI
« on: August 11, 2021, 04:41:29 PM »
If you want to add SNI to your dovecot configuration:
(this was made on a proxmox lxc container with centos 8 )

my dovecot configuration didn't include the files in /etc/dovecot/conf.d but there are about 30 files which I didn't want to include to avoid breaking other things. so I created a new directory:
mkdir /etc/dovecot/myconf.d
then added a line to the end of  /etc/dovecot/dovecot.conf:
!include myconf.d/*.conf

in /etc/dovecot/myconf.d you create a file which will reference the certs for one of your domains:
I did:
cd /etc/dovecot/myconf.d
vi 14-domain2.conf

and the file looks like this:
local_name {
  ssl_cert = </etc/pki/tls/certs/
  ssl_key = </etc/pki/tls/certs/

the file /etc/pki/tls/certs/ doesnt exist yet, you can create it like this:
cat /etc/pki/tls/private/ /etc/pki/tls/certs/ /etc/pki/tls/certs/ > /etc/pki/tls/certs/

thats probably not the most elegant way, but it works ;)
also when the lets encrypt certs are renewed, you have to renew the *.pem files manually
will check if there is a more automatic way...
any suggestions welcome.

Pages: [1]