postfix ssl different domains

  • Hello,
    i already setup ssl certificate for my main server.
    Now it is possible to use that server for smtp/pop3/imap with SSL everything is fine.
    Is it possible for a customer to add ssl for his own domain ? I know that
    www is possible and it is working, but i am interrested in postfix ssl too so he
    has his own smtp/pop3/imap domain ssl.

  • Hello ;


    This is not possible with i-MSCP out-of-box. This is possible by changing configuration (postfix...) manually but this require to assign one IP per domain.


    BTW: Google is your friend.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I think i noticed a small bug which is related to separate ssl IP.
    When we assign different ip for some domain our name server still keeps main ip for hosts
    like mail,imap,pop,pop3 which is wrong i think.
    We assign different IP not the same it means all services must listen on the new one.
    I expect pinging mail.mydomain.com to return the new assigned ip.
    There are some files we must touch for these to work.
    bind config, dovecot/courrier, master.conf

  • This is not a bug in the current implementation.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • It is possible but i can not understand the idea to have different IP if my mail server still points to
    the main one and the most bad thing is that i can not change normally the ip of host - mail.domain.com.
    IP is useful only for web but the most useful will be different mail server ip on shared platform.
    Can save some domains from spam and other good stuff and have ssl different client certificates per domain.
    I already did that but manually and i do not like it.

  • @sanitariu


    Well, current mail implementation doesn't involve one IP per domain. Therefore, a single IP is used for the mailhost and so on. This explains why in the dns zone file, the smtp, pop and imap records, all point to the same IP.


    You can easily change that by editing the /etc/imscp/bind/parts/db.tpl template



    For instance:


    Code
    1. $TTL 3H$ORIGIN {DOMAIN_NAME}.@ IN SOA ns1.{DOMAIN_NAME}. hostmaster.{DOMAIN_NAME}. ({TIMESTAMP}; Serial3H; Refresh1H; Retry2W; Expire1H; Minimum TTL); dmn NS entry BEGIN@IN NS ns{NS_NUMBER}; dmn NS entry ENDING@IN {IP_TYPE} {DOMAIN_IP}; dmn NS A entry BEGINns{NS_NUMBER} IN {NS_IP_TYPE} {NS_IP}; dmn NS A entry ENDINGwwwIN CNAME @ftp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry BEGIN@IN MX 10 mail@IN TXT "v=spf1 a mx ~all"mail IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}imap IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}popIN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}pop3 IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}relay IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}smtp IN {BASE_SERVER_IP_TYPE} {BASE_SERVER_IP}; dmn MAIL entry ENDING; sub [{SUBDOMAIN_NAME}] entry BEGIN; sub [{SUBDOMAIN_NAME}] entry ENDING$ORIGIN {DOMAIN_NAME}.; custom DNS entries BEGIN; custom DNS entries ENDING; ctm als entries BEGIN; ctm als entries ENDING


    Should be something like:


    Code
    1. $TTL 3H$ORIGIN {DOMAIN_NAME}.@ IN SOA ns1.{DOMAIN_NAME}. hostmaster.{DOMAIN_NAME}. ({TIMESTAMP}; Serial3H; Refresh1H; Retry2W; Expire1H; Minimum TTL); dmn NS entry BEGIN@IN NS ns{NS_NUMBER}; dmn NS entry ENDING@IN {IP_TYPE} {DOMAIN_IP}; dmn NS A entry BEGINns{NS_NUMBER} IN {NS_IP_TYPE} {NS_IP}; dmn NS A entry ENDINGwwwIN CNAME @ftp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry BEGIN@IN MX 10 mail@IN TXT "v=spf1 a mx ~all"mail IN {IP_TYPE {DOMAIN_IP}imap IN {IP_TYPE} {DOMAIN_IP}popIN {IP_TYPE {DOMAIN_IP}pop3 IN {IP_TYPE {DOMAIN_IP}relay IN {IP_TYPE} {DOMAIN_IP}smtp IN {IP_TYPE} {DOMAIN_IP}; dmn MAIL entry ENDING; sub [{SUBDOMAIN_NAME}] entry BEGIN; sub [{SUBDOMAIN_NAME}] entry ENDING$ORIGIN {DOMAIN_NAME}.; custom DNS entries BEGIN; custom DNS entries ENDING; ctm als entries BEGIN; ctm als entries ENDING

    Then, once the changes are done, you could just run the setup script to regenerate configuration files (including DNS zone files):


    Shell-Script
    1. # perl /var/www/imscp/engine/setup/imscp-setup -dar


    Be aware that changes made in that template would be overriden on next i-MSCP update. Thus, I would recomment you to code a listener instead of editing the template directly.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thanks for your help !
    My goal was actually to have different IP for mail ssl access via outlook/thunder or other.
    We will have certificate host mismatch error and we can not use pop3/imap mail.mydomain.com server name.
    Using my main one was not an option.
    So for all this to work except dns fixes we need to fix dovecot.conf something like:


    after
    ------


    protocol imap {
    mail_plugins = $mail_plugins imap_quota
    }


    protocol pop3 {
    pop3_uidl_format = %u-%v
    }


    we add
    ---------


    local my_other_ip {
    protocol imap {
    ssl_cert = </etc/ssl/domain/domain.crt
    ssl_key = </etc/ssl/domain/domain.key.nopass
    }


    protocol pop3 {
    ssl_cert = </etc/ssl/domain/domain.crt
    ssl_key = </etc/ssl/domain/domain.key.nopass
    }
    }


    also in master.cf
    we add something like:


    my_new_ip:smtp inet n - - - - smtpd
    -o smtp_helo_name=mail.domain.com
    -o smtpd_banner=mail.domain.com


    my_new_ip:smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/ssl/domain/domain.key.nopass
    -o smtpd_tls_cert_file=/etc/ssl/domain/domain.crt
    -o smtpd_tls_ca_file=/etc/ssl/domain/intermediate.ca
    -o smtp_helo_name=mail.domain.com
    -o smtpd_banner=mail.domain.com


    my_new_ip:submission inet n - - - - smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o smtpd_tls_key_file=/etc/ssl/domain/domain.key.nopass
    -o smtpd_tls_cert_file=/etc/ssl/domain/domain.crt
    -o smtpd_tls_ca_file=/etc/ssl/domain/intermediate.ca
    -o smtp_helo_name=mail.domain.com
    -o smtpd_banner=mail.domain.com



    Of course you will have to get cert for domain.com.