How Do I Configure Multiple Domains and SSLs With Postfix?

Hifihedgehog

Updated on 17 March 2020: Updated original documentation to include information from this thread -> https://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/

In line with this post:

https://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/

And this:

http://techslides.com/mail-server-for-multiple-domains-with-postfix

... I am trying to set up Postfix to allow multiple domain names and SSLs for the incoming mail server.

The issue arises when I try testing a secondary domain with this service:

https://www.checktls.com/TestReceiver?LEVEL=DETAIL&EMAIL=mail.secondarydomain.com

Unfortunately, it only defaults to my server's main mail server's SSL (mail.maindomain.com) and I would like it to switch to the appropriate one so the SSL certificate match-up test passes. What is considered best practice to do this with CyberPanel?

Hifihedgehog

PS: Postfix now supports SNI. ;)

https://serverfault.com/a/996358

Hifihedgehog

PPS:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029

Hifihedgehog

I see that CyberPanel currently has Postfix configured with smtpd_tls_cert_file and smtpd_tls_key_file. Per the documentation, however, with Postfix 3.4 and later, using the smtpd_tls_chain_files parameter is now the official preferred way:

http://www.postfix.org/postconf.5.html#smtp_tls_cert_file
http://www.postfix.org/postconf.5.html#smtp_tls_key_file
http://www.postfix.org/postconf.5.html#smtp_tls_chain_files

Hifihedgehog

I got it working! @CyberPanel, let me know if you need help implementing this in the next release. It's quite simple. Just follow what the user suggests here and it works perfectly:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a101029

I no longer have to use a custom MX record with my secondary domain!

Hifihedgehog

Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:

---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
/etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
---

Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:

---
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
---

Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.

Step 4: Run systemctl restart postfix.

Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp

Zalcig

@Hifihedgehog thats a great job I was looking for this for so long!

I tried with 2 setup 1 fresh the other on my production server.

1. Fresh server even though I created Mail and normal ssl folder for /etc/letsencrypt/live/ is empty.

2. For production server I dont have any folder for mail.xxx its only for main domains.

Do you have any idea what went wrong with my setup ? or how can I fix ?

Thanks!

Hifihedgehog

Actually, everything's working and nothing's the matter. If you are on any version of CyberPanel prior to 1.9.4, the mail domains are not created by default so you will need to create subdomains for them in CyberPanel and get SSLs/Let's Encrypt for each of them. Only new apex/root domains created after installing CyberPanel 1.9.4 will automatically add the .mall subdomain and get the .mail SSL certificate for you. Hope that helps!

usmannasir

I am going to read through your efforts now, thanks.

Zalcig

As you suggested created mail.xx subdomain with SSL.

Then followed by the end and all worked fine with the code you provided as well SSL handshake made without any issues.

Then I tried to add it to outlook. Unfortunatelly mail.xxx couldnt create an SSL connection. The certificate still shows as original mail server primary domain.

Can you try to connect via outlook etc with ssl and let me know if it works ?

Many thanks in advance!

CyberPanel

@Hifihedgehog this step goes for mail.domain.com or the actual top level domain such as domain.com ?

For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.

CyberPanel

@Hifihedgehog

Sent you a message on CP Slack.

CyberPanel

ok, I did some debugging and postfix conf need SSL for hostname domain such as mail.domain.com in this case.

CyberPanel

Added to v1.9.4 -> https://github.com/usmannasir/cyberpanel/commit/e9a8e34c73610755e1ab1e450e8f03ad706486fd

Zalcig

@CyberPanel

I just tested below 2 comment wasnt commented out after upgrade, the rest was ok.

---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem


Also primary domain ssl wasnt registered on /etc/postfix/vmail_ssl.map as @Hifihedgehog mentioned.

However even after I followed exactly as mentioned, I cant connect with outlook or any othersoftware.

What I did:

I created 2 domains (a.com b.com)

Created SSL for a.com and mailserver ssl for mail.a.com

Restarted vm.

Tried to login using outlook it with mailserver mail.b.com. SSL couldnt found.

Generated MAIL ssl for mail.b.com then it worked ofcourse.

Then I generated again for mail.a.com then it stopped working again for mail.b.com.

Seems like original cyberpanel setup no changes.


Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.

Thank you!

Hifihedgehog

> @usmannasir said:
> I am going to read through your efforts now, thanks.

You're welcome! Sorry for missing your replies on Slack. Glad it seems to have worked out well!

Hifihedgehog

> @Zalcig said:

> Please let me know @Hifihedgehog if with your setup it works with outlook or any other mail app.
>
> Thank you!
>
>

Yes, it does. Confirmed with both Outlook desktop (Windows) and Outlook mobile (iOS).

Hifihedgehog

> @CyberPanel said:
> @Hifihedgehog this step goes for mail.domain.com or the actual top level domain such as domain.com ?
>
> For dovecot it is for mail.domain.com because autodiscovers tries to connect using this domain.

Yep, I used the mail. subdomain. :)

Hifihedgehog

@Zalcig:

You are getting an insecure message because your server is failing to pick up the certificates for one reason or another. Some possibilities:

1. You don't have this correct in your Postfix main.cf configuration file:

> # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>
> # provide the primary certificate for the server, to be used for outgoing connections
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

2. You need to renew your mail server SSL certificate because either (a) you made too many renewal requests and therefore you are locked out and will have to wait a couple days before being able or (b) it is outdated.

while1

Because of this discussion Starting from 1.9.4 cyberpanel automatically creating child domain and sub-folder under public_html.

I have a suggestion - I talked about that on discord too
add context-wrapper to child-domain OR make it dedicated to mail domains
something like this:

#add context rule to any mail child-domain (under VH_ROOT)
context /.well-known-wrapper {
location $VH_ROOT/.well-known-wrapper
allowBrowse 1
}

#point the verification to the virtual place
./acme.sh --issue -d mail.example.com -w /home/example.com/.well-known-wrapper

done. we have ssl verification without sub-folder under public_html

zvan

Type your comment> @Hifihedgehog said:
> Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:
>
> ---
> # smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
> # smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
>
> # provide the primary certificate for the server, to be used for outgoing connections
> smtpd_tls_chain_files =
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
> /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
>
> # provide the map to be used when SNI support is enabled
> tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
> ---
>
> Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:
>
> ---
> # Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
> # One host per line
> mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
> mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
> # add more domains with keys and certs as needed
> ---
>
> Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.
>
> Step 4: Run systemctl restart postfix.
>
> Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp

im getting example.com domains from ssl check

Hifihedgehog

That means you did not select each of the domains in CyberPanel and generate an SSL certificate for those mail domains. That, or you tried regenerating the SSL certificate so many times that you are blocked out since you hit the renewal request quota, in which case you would have to wait.

zvan

Type your comment> @Hifihedgehog said:
> That means you did not select each of the domains in CyberPanel and generate an SSL certificate for those mail domains. That, or you tried regenerating the SSL certificate so many times that you are blocked out since you hit the renewal request quota, in which case you would have to wait.

I solved that issue of generating ssl, my ssl is being shown rn but i still get ssl error for smtp i suppose for secondary domains.

My dovecot is:

local_name mail.s.com {
ssl_cert = </etc/letsencrypt/live/mail.s.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.s.com/privkey.pem
}

local_name mail.a.com.tr {
ssl_cert = </etc/letsencrypt/live/mail.a.com.tr/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.a.com.tr/privkey.pem
}

local_name mail.y.com {
ssl_cert = </etc/letsencrypt/live/mail.y.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.y.com/privkey.pem
}

My postfix vmail is

mail.y.com /etc/letsencrypt/live/mail.y.com/privkey.pem /etc/letsencrypt/live/mail.y.com/fullchain.pem
mail.s.com /etc/letsencrypt/live/mail.s.com/privkey.pem /etc/letsencrypt/live/mail.s.com/fullchain.pem
mail.a.com.tr /etc/letsencrypt/live/mail.a.com.tr/privkey.pem /etc/letsencrypt/live/mail.a.com.tr/fullchain.pem

my main.cf is

smtpd_use_tls = yes
#smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
#smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
smtpd_tls_chain_files =
/etc/letsencrypt/live/mail.y.com/privkey.pem,
/etc/letsencrypt/live/mail.y.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
virtual_create_maildirsize = yes
virtual_maildir_extended = yes

configured like this. I generated ssl and mailserver ssl for mail.y.com from panel and checked the ssl certs.

used postmap -F hash:/etc/postfix/vmail_ssl.map , systemctl restart postfix and systemctl restart dovecot without errors.

Nothing wrong with certifications but i still get error on gmail mobile. If youre willing to take a look at cfgs i can hand them over. This mail problem hurts my head so much last few days ...

Hifihedgehog

Sorry, I can't offer direct troubleshooting services at this time, but what I can say is if you are seeing example.com certificates in your mail client (in this case, Gmail) and SSL check, then they did not renew properly. Check your CyberPanel log. It may say it renewed at the SSL renewal tool in CyberPanel, but it may have actually failed. I would venture to guess that checking your logs would be the next best course of action.

zvan

It shows three thousand something years on ssl remaining time when it fails, i checked it and its 90 days right now. Don't think it is the ssl.

Hifihedgehog

That is the placeholder SSL which means there is a typo somewhere down the line or the SSL didn't renew. Keep combing through it and plugging away and it will eventually become evident what the root of the problem is.

zvan

I have tried lots of possible configurations and it only gets worse. Now i get ssl errors both for imap and smtp connections. It says certificate subject does not match machine or server name. My main mailserver domains ssl shows below with mail.y.com lets encrypt etc... and my mail adress belongs to that domain also, its not even a different domain. Before this postfix change atleast i could make main domains emails work properly. Now everything is a mess. Don't know how other people handle this ... ( Even for domains that i created after 1.9.4 update does not work )

Hifihedgehog

Yeah, you messed up royally somewhere. As always, there is an element of risk involved with any of these mods or tweaks unless you know exactly what you are doing.

CyberPanel

Information from this article is extracted and inserted into original article at -> https://cyberpanel.net/docs/6-self-signed-ssl-error-on-outlook-thunderbird/

Also added note on top of this thread.