How to configure Postfix to serve signed SSL certificates for several domains?

Refers to:

  • Plesk for Linux

Created:

2016-11-16 13:03:44 UTC

Modified:

2016-12-21 19:52:06 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to configure Postfix to serve signed SSL certificates for several domains?

Symptoms

How to configure Postfix to serve signed SSL certificates for several domains?

Resolution

To make the Postfix to work with several SSL's each subscription should have a dedicated IP address and SSL certificate assigned.

Please perform the following steps to configure Plesk and Postfix:

  1. Add IP address in the server for subscription example.com that will use the signed SSL
  2. Reread IP's at Tools & settings -> IP Addresses
  3. Set IP as dedicated and set corresponding SSL certificate at: Tools & settings -> IP Addresses -> 1.1.1.1
  4. Assign IP 1.1.1.1 to subscription at Subscriptions -> example.com -> Changing hosting settings -> IP address
  5. Comment or delete smtpd_tls_key_file and smtpd_tls_cert_file in /etc/postfix/main.cf :

    #smtpd_tls_key_file = /etc/postfix/keys/example.com.key
    #smtpd_tls_cert_file = /etc/postfix/keys/example.com.crt
    smtpd_tls_CAfile = /etc/postfix/keys/example.com.bundle
  6. Create records in /etc/postfix/master.cf for subscription:

    # localhost
    127.0.0.1:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    127.0.0.1:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    127.0.0.1:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    # IPv4
    1.1.1.1:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    1.1.1.1:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    1.1.1.1:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    # In case IPv6 is used on the server add the following records:

    # IPv6
    [2a01:4f8:120:14c4::1111]:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    [2a01:4f8:120:14c4::1111]:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    [2a01:4f8:120:14c4::1111]:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt
  7. Reload postfix configuration:

    # /etc/init.d/postfix reload
Have more questions? Submit a request
Please sign in to leave a comment.