Certificat Problems with Postfix SSL Delivery SMTP

2 posts / 0 new
Last post
#1 Mon, 12/16/2019 - 08:54

Certificat Problems with Postfix SSL Delivery SMTP

Good Evening,

i have a problem with my Postfix mail server on the Virtualmin server. I've been trying for a long time to figure out why I can't send via SSL.

Initial situation:

I have several domains. Each domain has its own Lets Encrypt certificate and I also provided this for Postfix and Dovecot. However, Postfix always takes the wrong domain when sending SMTP and complains about it because the certificate would be wrong. (e.g. Did I assign a certificate to domain a.xy, but Microsoft Outlook says that the principal name is wrong because the certificate belongs to domain b.xy).

What could be the reason and what details do you need from me ?


# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

sender_canonical_maps = hash:/etc/postfix/sender_canonical

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = vmd39417.contaboserver.net
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, vmd39417.contaboserver.net, localhost.contaboserver.net, , localhost
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_protocols = all
virtual_alias_maps = hash:/etc/postfix/virtual
sender_bcc_maps = hash:/etc/postfix/bcc
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtp_tls_security_level = dane
allow_percent_hack = no
smtpd_tls_CAfile = /etc/postfix/postfix.ca.pem
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
mynetworks_style = subnet
mydomain = contaboserver.net

Thanks a lot :)

Fri, 12/20/2019 - 08:08

G'day, I dont think you should copy the SSL certificate for all Virtual Servers to Postfix unless they have their own IP address.

Postfix can only handle one SSL cert per IP address (as far as I am aware at least). So if you keep copying each Virtual server SSL to Postfix, it uses that one instead of the previous one

The only SSL in Postfix should be your primary system/Webmin one.

There is a whole thread on this forum about this...I will put a link to it tomorrow when I am not on my mobile.

AJECreative is the home of $5 webhosting, $15/month VPS servers (1cpu,1gb RAM, 25GB storage)
Centos7, Debian9, or Ubuntu18LTS
Available Control Panels = Centos-Webpanel, Cyberpanel, or Virtualmin


Topic locked