1

I'm trying to get full green marks on an old iredmail server checktls.com/TestReceiver. I have a multi-domain certificate with these domains:

  • mail.domain.tld
  • mailgw.domain.tld
  • mailgw2.domain.tld

I do get the full green marks on mail.domain.tld, but not the others. I'm assuming this is because of mail.domain.tld being the certificate name (I've forgotten what it's called).

The warning I get on the other domains is this:

Cert Hostname DOES NOT VERIFY (mailgw.domain.tld != mail.domain.tld | DNS:mail.domain.tld)
        So email is encrypted but the host is not verified

MX and A records are set for each domain. They don't share a single IP, but rather each have their own.

What do I need to do change to solve this issue? Do I need to make separate certificates for each domain?

Version information:

  • Postfix 2.7.1
  • Dovecot 1.2.15
  • iRedMail 0.8.5
  • Debian 6.0.10 (Squeeze)

I know these are old versions and I know one should upgrade (or rather migrate), but that's currently not possible for me to do.

I will supply any information needed (unless told not to by my boss).

Angus
  • 49

1 Answers1

2

Answer: Configuring Multi-Domain TLS in Postfix Using SNI

Your issue is caused by the fact that your TLS certificate only covers mail.domain.tld, which leads to hostname verification failures when clients connect to mailgw.domain.tld and mailgw2.domain.tld. To fix this, you need to configure Postfix to use different certificates for each domain using Server Name Indication (SNI).

Solution: Enable TLS SNI in Postfix

1. Create and Edit the SNI Mapping File

Create the SNI mapping file where each domain is mapped to its corresponding certificate:

sudo nano /etc/postfix/tls_sni

Add the following lines (replace with the correct paths to your certificates):

mail.domain.tld /path/to/mail.domain.tld/privkey.pem /path/to/mail.domain.tld/fullchain.pem
mailgw.domain.tld /path/to/mailgw.domain.tld/privkey.pem /path/to/mailgw.domain.tld/fullchain.pem
mailgw2.domain.tld /path/to/mailgw2.domain.tld/privkey.pem /path/to/mailgw2.domain.tld/fullchain.pem

Save and exit (CTRL + X, then Y and Enter).

2. Configure Postfix to Use the SNI Map

Edit your Postfix configuration file:

sudo nano /etc/postfix/main.cf

Add the following line:

tls_server_sni_maps = hash:/etc/postfix/tls_sni

3. Convert the SNI File to a Postfix-Compatible Format

Run the following command to create the Postfix-compatible database:

sudo postmap -F /etc/postfix/tls_sni

4. Restart Postfix to Apply Changes

Finally, restart Postfix:

sudo systemctl restart postfix

Why This Works

  • SNI (Server Name Indication) allows Postfix to present the correct SSL certificate based on the requested domain.
  • This eliminates hostname verification issues when multiple domains are hosted on the same mail server.
  • This solution avoids the need for a single multi-domain certificate (SAN) or multiple separate instances of Postfix.

Alternative: Using a SAN (Multi-Domain) Certificate

If managing multiple certificates is not feasible, you can instead use a SAN (Subject Alternative Name) certificate, which covers multiple domains under one certificate.

Cheers!

Syarif
  • 81
  • 7