How to configure Postfix to serve signed SSL certificates for several domains?

Created:

2016-11-16 13:03:44 UTC

Modified:

2017-04-24 11:58:51 UTC

0

Was this article helpful?


Have more questions?

Submit a request

How to configure Postfix to serve signed SSL certificates for several domains?

Applicable to:

  • Plesk for Linux

Symptoms

How to configure Postfix to serve signed SSL certificates for several domains?

Resolution

To make the Postfix to work with several SSL's each subscription should have a dedicated IP address and SSL certificate assigned.

Please perform the following steps to configure Plesk and Postfix:

  1. Add IP address in the server for subscription example.com that will use the signed SSL
  2. Reread IP's at Tools & settings -> IP Addresses
  3. Set IP as dedicated and set corresponding SSL certificate at: Tools & settings -> IP Addresses -> 1.1.1.1
  4. Assign IP 1.1.1.1 to subscription at Subscriptions -> example.com -> Changing hosting settings -> IP address
  5. Comment or delete smtpd_tls_key_file and smtpd_tls_cert_file in /etc/postfix/main.cf :

    #smtpd_tls_key_file = /etc/postfix/keys/example.com.key
    #smtpd_tls_cert_file = /etc/postfix/keys/example.com.crt
    smtpd_tls_CAfile = /etc/postfix/keys/example.com.bundle
  6. Create records in /etc/postfix/master.cf for subscription:

    # localhost
    127.0.0.1:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    127.0.0.1:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    127.0.0.1:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    # IPv4
    1.1.1.1:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    1.1.1.1:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    1.1.1.1:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    # In case IPv6 is used on the server add the following records:

    # IPv6
    [2a01:4f8:120:14c4::1111]:smtp inet n - y - 20 smtpd
    -o smtpd_proxy_filter=127.0.0.1:10024
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=100
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    [2a01:4f8:120:14c4::1111]:smtps inet n - y - - smtpd
    -o content_filter=dksign:127.0.0.1:10027
    -o smtpd_client_connection_count_limit=10
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt

    [2a01:4f8:120:14c4::1111]:submission inet n - y - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/postfix/keys/example.com.key
    -o smtpd_tls_cert_file=/etc/postfix/keys/example.com.crt
  7. Reload postfix configuration:

    # /etc/init.d/postfix reload
Have more questions? Submit a request
Please sign in to leave a comment.