如何让 Postfix 使用正确的证书监听几个 IP 地址?

如何让 Postfix 使用正确的证书监听几个 IP 地址?

我在设置 postfix 以使用正确的 SSL 证书在端口 25 上监听几个(实际上是 3 个)IP 地址时遇到了问题。

背景:我使用的是 Debian 11,带有 Postfix(来自 repo 的 v 3.5.6)/Dovecot 和 ISPConfig 作为托管面板。我有几个运行良好的 IP 地址,有记录 A 指向 IP 的域名,每个 IP 都有正确的 revDNS。每个域都生成了正确的证书以供使用。防火墙配置正确,几乎所有东西都按我预期的方式运行。

我目前的状态是,Postfix 在所有定义的 IP 地址(包括 127.0.0.1)上的端口 465 和 587 上正确监听 - 并且还在这些端口上使用正确的证书进行响应。但在端口 25 上,它始终使用第一个域的证书 - 即使连接到其他 IP(域名)。Dovecot 也在使用证书(但配置 Dovecot 非常容易,并且它可以像 IMAP 和 POP3 一样工作)。我不知道我在哪里错误地配置了 Postfix。我唯一不想做的事情是 postfix“多个实例” - 因为 ISPConfig 根本不支持它们(它甚至不支持 Dovecot/Postfix 的多个 IP,或任何类型的 SNI)。

我当前的配置如下:main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2



# TLS parameters
# 
# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may

smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domain1.com, localhost, localhost.localdomain
relayhost = 
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
# OEYG inet_interfaces = all
inet_interfaces = 127.0.0.1 xx.xx.xx.x1 xx.xx.xx.x2 xx.xx.xx.x3
# ORYG inet_protocols = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf,  permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, permit_dnswl_client swl.spamhaus.org, permit_dnswl_client ip4.white.polspam.pl, permit_dnswl_client ip6.white.polspam.pl, reject_rbl_client spam.spamrats.com, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client all.s5h.net, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users = 
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0

我的master.cf:

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
# smtp      inet  n       -       y       -       -       smtpd
127.0.0.1:smtp inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-local
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtp inet n       -       y      -       -       smtpd
 -o syslog_name=postfix/smtp-d1
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x2:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d2
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
xx.xx.xx.x3:smtps inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/smtp-d3
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#
127.0.0.1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=localhost
 -o smtp_bind_address=127.0.0.1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o myhostname=localhost
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x1:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain1
 -o smtp_bind_address=xx.xx.xx.x1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain2
 -o smtp_bind_address=xx.xx.xx.x2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:submission inet n       -       y       -       -       smtpd
 -o syslog_name=postfix/submission
 -o smtp_helo_name=domain3
 -o smtp_bind_address=xx.xx.xx.x3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_security_level=encrypt
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
## smtps     inet  n       -       y       -       -       smtpd
## -o syslog_name=postfix/smtps
## -o smtpd_tls_wrappermode=yes
## -o smtpd_sasl_auth_enable=yes
## -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
127.0.0.1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtp_helo_name=localhost
 -o myhostname=localhost
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d1/smtps
 -o smtp_helo_name=domain1
 -o myhostname=domain1
 -o smtpd_tls_cert_file=/etc/domain1.crt
 -o smtpd_tls_key_file=/etc/domain1.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d2/smtps
 -o smtp_helo_name=domain2
 -o myhostname=domain2
 -o smtpd_tls_cert_file=/etc/domain2.crt
 -o smtpd_tls_key_file=/etc/domain2.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:smtps inet n       -       n       -       -       smtpd
 -o syslog_name=postfix-d3/smtps
 -o smtp_helo_name=domain3
 -o myhostname=domain3
 -o smtpd_tls_cert_file=/etc/domain3.crt
 -o smtpd_tls_key_file=/etc/domain3.key
 -o smtpd_tls_wrappermode=yes
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
domain1-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x1
    -o smtp_helo_name=domain1
    -o syslog_name=postfix-domain1
    -o smtpd_tls_cert_file=/etc/domain1.crt
    -o smtpd_tls_key_file=/etc/domain1.key
domain2-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x2
    -o smtp_helo_name=domain2
    -o syslog_name=postfix-domain2
    -o smtpd_tls_cert_file=/etc/domain2.crt
    -o smtpd_tls_key_file=/etc/domain2.key
domain3-out     unix -       -       n       -       -       smtp
    -o smtp_bind_address=xx.xx.xx.x3
    -o smtp_helo_name=domain3
    -o syslog_name=postfix-domain3
    -o smtpd_tls_cert_file=/etc/domain3.crt
    -o smtpd_tls_key_file=/etc/domain3.key
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}

启动 postfix 时,在 /var/log/mail.log 中有:

postfix/postfix-script[2714262]: starting the Postfix mail system
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x2:smtps" ([xx.xx.xx.x2]:465) -- using the last ent
ry
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x3:smtps" ([xx.xx.xx.x3]:465) -- using the last ent
ry
postfix/master[2714264]: daemon started -- version 3.5.6, configuration /etc/postfix

这个日志对我来说很奇怪,因为端口 465 在每个域名上都运行正常。

为了测试,我使用了其他服务器和以下命令:
openssl s_client -starttls smtp -showcerts -connect domainX:25 -servername domainX
openssl s_client -starttls smtp -showcerts -connect domainX:587 -servername domainX
openssl s_client -showcerts -connect domainX:465 -servername domainX

答案1

您的master.cf内容中有错别字。

看起来您想要smtpd在端口提交(587)中设置(服务器)服务,在端口 smtps(465)上设置 smtpd,在端口 smtp(25)上设置 smtpd 和smtp每个域的(客户端)传输。

但是 和 的第一次出现xx.xx.xx.x2:smtpsxx.xx.xx.x3:smtps该方案不匹配。看起来您是想写smtp在那里。每个的第二次出现看起来分别是 的预期出现smtps(如 smtpd_tls_wrappermode 选项所示)。

修复此问题并重新启动 postfix 后,调用ss -tulpn以验证 postfix 实际监听的 IP/端口组合。我希望看到端口 25、端口 587 和端口 465 中的每一个都在四个 IPv4 地址上提供(包括环回)。


顺便说一句,smtpd_*在服务上指定选项smtp是无效的。您的域*-out smtp(客户端!)服务在交付时不会提供证书。

此外,整个努力似乎……徒劳无功。它只有一台服务器,为什么假装是三台?通过在不同的地方接收传入邮件,您只会使诊断变得更加困难。

答案2

使用 ISPConfig..

你可以更轻松地做到这一点......

在网站中创建一个“基本”邮件主机。*(我将这个主机用于那里所有客户的网络邮件。因此我创建了 mail.my-hosting-domain.tld。

添加 letsencrypt 以便获得正确的证书。现在向其中添加一个新的邮件主机名。

letsencrypt 将生成多主机证书。完成。

当然,将所需的 DNS 记录与此匹配。任何客户都可以转到 mail.there-domain.tld,postfix 会显示证书中所有正确的主机名。

相关内容