I was following this seemingly simple solution for using multiple IP's and separate domain names to setup a mail server that was originally just serving one domain. I am using the same certificates and key files I was using for a single domain and had smtpd_tls_cert_file and smtpd_tls_key_file set correctly in main.cf. It worked perfectly. Updating master.cf following this blog post http://blog.wpkg.org/2013/07/31/postfix-and-multiple-ssl-certificates/comment-page-1/#comment-311726 to add in the second domain and IP I ended up with neither submissions working. "No certificates available, TLS not enabled" on both IP/Domain address. I am obviously missing something, but I can not see it and I really do not fully understand how to navigate postfix to find the issue. Please advise
When google tries to send mail to my mail server I get this in /var/log/maillog
while /usr/local/etc/ssl contains
main.cf
master.cf
Postconf output
When google tries to send mail to my mail server I get this in /var/log/maillog
Code:
$tail -f /var/log/maillog
Feb 14 21:38:47 tyr postfix/smtpd[98753]: warning: No server certs available. TLS won't be enabled
Feb 14 21:38:47 tyr postfix/smtpd[98753]: connect from mail-ig0-f169.google.com[209.85.213.169]
Feb 14 21:38:47 tyr postfix/smtpd[98753]: lost connection after STARTTLS from mail-ig0-f169.google.com[209.85.213.169]
while /usr/local/etc/ssl contains
Code:
$ ls -al /usr/local/etc/ssl
-rw-r--r-- 1 root wheel 1765 Jan 8 17:52 mail.example1.com.crt
-rw-r--r-- 1 root wheel 3871 Jan 8 17:54 mail.example1.com.pem
-rw-r--r-- 1 root wheel 1679 Feb 12 12:08 wild.exmaple2.key
-rw-r--r-- 1 root wheel 4005 Feb 12 12:05 wild.example2.pem
main.cf
Code:
virtual_mailbox_domains = /usr/local/etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps
virtual_minimum_uid = 5002
virtual_uid_maps = static:5002
virtual_gid_maps = static:5003
# SASL
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
# TLS parameters
smtpd_use_tls = yes
#smtp_use_tls = yes
# Allow incoming and outgoing
smtpd_tls_security_level = may
#smtp_tls_security_level = may
# requires senders to use TLS
smtpd_tls_auth_only = yes
# location of TLS certificate and key files
#smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
#smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
# Increase the logging level incoming outgoing
smtpd_tls_loglevel = 4
smtp_tls_loglevel = 4
# location of the Certificate Authority bundle for incoming and outgoing
#smtpd_tls_CAfile = /usr/local/etc/ssl/cacert.pem
#smtpd_tls_CApath = /usr/local/etc/ssl/
#smtp_tls_CAfile = $smtpd_tls_CAfile
# add TLS information to headers
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
# Amavisd
content_filter = amavisfeed:[127.0.0.1]:10024
master.cf
Code:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
127.0.0.1:smtp inet n - n - - smtpd
192.*.*.*:smtp inet n - n - - smtpd
192.*.*.*:smtp inet n - n - - smtpd
#smtp inet n - n - 1 postscreen
#smtpd pass - - n - - smtpd
#dnsblog unix - - n - 0 dnsblog
#tlsproxy unix - - n - 0 tlsproxy
# ===== Loopback submission =====
127.0.0.1:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/usr/local/etc/ssl/mail.example1.com.pem
-o smtpd_tls_key_file=/usr/local/etc/ssl/mail.exampl1.key
-o milter_macro_daemon_name=ORIGINATING
# ===== example2.com SSL =====
192.*.*.*:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/usr/local/etc/ssl/mail.example1.com.pem
-o smtpd_tls_key_file=/usr/local/etc/ssl/mail.example1.key
# -o milter_macro_daemon_name=ORIGINATING
# ===== example2.com SSL =====
192.*.*.*:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/usr/local/etc/ssl/wild.example2.pem
-o smtpd_tls_key_file=/usr/local/etc/ssl/wild.example2.key
# -o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=
Postconf output
Code:
$ postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example1.com
myhostname = tyr.example1.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
relay_domains = $mydestination, 127.0.0.1
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_loglevel = 4
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 4
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_gid_maps = static:5003
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = /usr/local/etc/postfix/vhosts
virtual_mailbox_maps = hash:/usr/local/etc/postfix/vmaps
virtual_minimum_uid = 5002
virtual_uid_maps = static:5002
Code:
postconf -P
$ postconf -P
127.0.0.1:submission/inet/milter_macro_daemon_name = ORIGINATING
127.0.0.1:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
127.0.0.1:submission/inet/smtpd_reject_unlisted_recipient = no
127.0.0.1:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
127.0.0.1:submission/inet/smtpd_sasl_auth_enable = yes
127.0.0.1:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
127.0.0.1:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
127.0.0.1:submission/inet/smtpd_tls_security_level = encrypt
127.0.0.1:submission/inet/syslog_name = postfix/submission
192.*.*.*:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_reject_unlisted_recipient = no
192.*.*.*:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_sasl_auth_enable = yes
192.*.*.*:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/mail.example1.com.pem
192.*.*.*:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/mail.example1.key
192.*.*.*:submission/inet/smtpd_tls_security_level = encrypt
192.*.*.*:submission/inet/syslog_name = postfix/submission
192.*.*.*:submission/inet/smtpd_recipient_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_reject_unlisted_recipient = no
192.*.*.*:submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
192.*.*.*:submission/inet/smtpd_sasl_auth_enable = yes
192.*.*.*:submission/inet/smtpd_tls_cert_file = /usr/local/etc/ssl/wild.example2.pem
192.*.*.*:submission/inet/smtpd_tls_key_file = /usr/local/etc/ssl/wild.example2.key
192.*.*.*:submission/inet/smtpd_tls_security_level = encrypt
192.*.*.*:submission/inet/syslog_name = postfix/submission
amavisfeed/unix/lmtp_data_done_timeout = 1200
amavisfeed/unix/lmtp_send_xforward_command = yes
127.0.0.1:10025/inet/content_filter =
127.0.0.1:10025/inet/local_header_rewrite_clients =
127.0.0.1:10025/inet/local_recipient_maps =
127.0.0.1:10025/inet/mynetworks = 127.0.0.0/8
127.0.0.1:10025/inet/receive_override_options = no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
127.0.0.1:10025/inet/relay_recipient_maps =
127.0.0.1:10025/inet/smtpd_client_connection_count_limit = 0
127.0.0.1:10025/inet/smtpd_client_connection_rate_limit = 0
127.0.0.1:10025/inet/smtpd_client_restrictions = permit_mynetworks,reject
127.0.0.1:10025/inet/smtpd_data_restrictions = reject_unauth_pipelining
127.0.0.1:10025/inet/smtpd_delay_reject = no
127.0.0.1:10025/inet/smtpd_end_of_data_restrictions =
127.0.0.1:10025/inet/smtpd_error_sleep_time = 0
127.0.0.1:10025/inet/smtpd_hard_error_limit = 1000
127.0.0.1:10025/inet/smtpd_helo_restrictions =
127.0.0.1:10025/inet/smtpd_milters =
127.0.0.1:10025/inet/smtpd_recipient_restrictions = permit_mynetworks,reject
127.0.0.1:10025/inet/smtpd_restriction_classes =
127.0.0.1:10025/inet/smtpd_sender_restrictions =
127.0.0.1:10025/inet/smtpd_soft_error_limit = 1001
Last edited: