Prev: which version os poftfix
Next: which port to use for SSL/TLS?
From: Phil Howard on 21 May 2010 10:29
I was originally setting up for one hostname to which outgoing email would
be sent. Now it looks like we have some internal users that cannot reach
the firewall (because they are in a no-internet-access zone). It turns out,
for them to get to the mail server, they have to address it as a different
hostname, and that will need a different SSL certificate with a CN for that
hostname, on a different IP address. Alternatively, I could juggle DNS
around somehow so they can use the same hostname while reaching a different
IP address. But I want to avoid doing that (and also avoid having them
connect non-SSL even though it is internal ... we want all inter-zone
traffic to be SSL).

So basically, I'm looking at running two instances of SMTPD, each on a
different IP address, and each with a different SSL certificate (both being
server certificates signed by an internal CA that users will import into
their user agent CA cert collection). I see two approaches. One is just
two daemons specified in master.cf. But I don't see how to give them each a
different certificate. The other is a multi-instance Postfix. But I'm
worried that a multi-instance setup might have problems with using the same
set of domain names, and perhaps even problems with instantiating Dovecot
being used to do the delivery (e.g. virtual transport).

And to be clear, yes, I know there are possible solutions outside the scope
of changing the Postfix setup. But I want to explore everything in depth
before making that decision. And I want to limit this thread on this list
to just exploring the Postfix aspect.
From: Noel Jones on 21 May 2010 12:04
On 5/21/2010 9:29 AM, Phil Howard wrote:
> I was originally setting up for one hostname to which outgoing email
> would be sent. Now it looks like we have some internal users that
> cannot reach the firewall (because they are in a no-internet-access
> zone). It turns out, for them to get to the mail server, they have to
> address it as a different hostname, and that will need a different SSL
> certificate with a CN for that hostname, on a different IP address.
> Alternatively, I could juggle DNS around somehow so they can use the
> same hostname while reaching a different IP address. But I want to
> avoid doing that (and also avoid having them connect non-SSL even though
> it is internal ... we want all inter-zone traffic to be SSL).
>
> So basically, I'm looking at running two instances of SMTPD, each on a
> different IP address, and each with a different SSL certificate (both
> being server certificates signed by an internal CA that users will
> import into their user agent CA cert collection). I see two
> approaches. One is just two daemons specified in master.cf
> <http://master.cf>. But I don't see how to give them each a different
> certificate.

Add -o smtpd_tls_key_file=... -o smtpd_tls_cert_file=...
lines to your master.cf alternate smtpd listener. For
completeness you can also use -o myhostname=foo.example.com to
match the expected name.


> The other is a multi-instance Postfix. But I'm worried
> that a multi-instance setup might have problems with using the same set
> of domain names, and perhaps even problems with instantiating Dovecot
> being used to do the delivery (e.g. virtual transport).

This would work too; use relayhost to tell the alternate
instance to deliver everything to the primary instance for
final delivery.

-- Noel Jones

 | 
Pages: 1
Prev: which version os poftfix
Next: which port to use for SSL/TLS?