Mailcow-dockerized: Postfix / Thunderbird SNI SSL domain ?
Prior to placing the issue, please check following: (fill out each checkbox with an X once done)
- [x] I understand, that not following or deleting the below instructions, will result in immediate closing and deletion of my issue.
- [x] I have understood that answers are voluntary and community-driven, and not commercial support.
- [x] I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description of the bug:
After to change configuration to SNI, after issue #3689 we have error with SMTP certificate. It seems that Postfix not have SAN Certificate like it specified in documentation. For the Postfix certificate I have only one domain in it those wich is referenced in MAILCOW_HOSTNAME.
ADDITIONAL_SAN=imap.*,smtp.*,webmail.*,mail.*
MAILCOW_HOSTNAME=mx1.domaine.com
But if I configure my Thunderbird with smtp.domaine.com I have certificate alert who said certificate name not correspond !
System information:
| Question | Answer |
| --- | --- |
| My operating system | Debian 10 |
| Is Apparmor, SELinux or similar active? | No |
| Virtualization technlogy (KVM, VMware, Xen, etc - LXC and OpenVZ are not supported |KVM |
| Server/VM specifications (Memory, CPU Cores) | 4 |
| Docker Version (docker version) | 19.03.12 |
| Docker-Compose Version (docker-compose version) | 1.26.2 |
| Reverse proxy (custom solution) | None |
Regards
guidtz
All 8 comments
Postfix does have SNI support:
https://github.com/mailcow/mailcow-dockerized/blob/2077eb139edd2497885b52bac40b53d46ac8d1ab/data/Dockerfiles/postfix/postfix.sh#L27-L39
You need to use:
ADDITIONAL_SAN=imap.*,smtp.*,webmail.*,mail.*
As shown in the mailcow.conf:
https://github.com/mailcow/mailcow-dockerized/blob/2077eb139edd2497885b52bac40b53d46ac8d1ab/generate_config.sh#L186-L188
Then restarting the whole stack should do the job.
Also please notice that the GitHub issues are not for support-purposes, because that's what the mailcow community forum is for instead.
patschi
on 3 Aug 2020
Note to myself: Not hitting SHIFT-CTRL-ENTER as this also closes the GitHub issue. Didn't meant to close it yet.
patschi
on 3 Aug 2020
I was going to say that this issue is a duplicate of #528 and that we don't support using different hostnames for SMTP and IMAP, but apparently we do since #2509. @guidtz has the configuration @patschi suggested, so this does look like a bug. Could you please check the contents of mailcow-dockerized/data/conf/postfix/sni.map and mailcow-dockerized/data/conf/dovecot/sni.conf ?
mkuron
on 3 Aug 2020
@guidtz has the configuration
Just to be clear and sort out any confusion: At the time I replied @guidtz stated having ADDITIONAL_SAN=imap.,smtp.,webmail.,mail. (without the asterisk), which is wrong actually and requires one. So did you check the exact value he has configured?
patschi
on 3 Aug 2020
without the asterisk
Actually, that was Markdown's fault. The asterisk were not displayed, but the word between pairs asterisks were italic, so it was obvious that @guidtz did post the asterisk. I edited @guidtz post to make that clear to everyone.
mkuron
on 3 Aug 2020
Hello.
So I have in mailcow.conf
# Additional SAN for the certificate
ADDITIONAL_SAN=imap.*,smtp.*,webmail.*,mail.*
In data/conf/postfix/sni.map for domain toto.fr
$ cat data/conf/postfix/sni.map |grep mydomain1.com
imap.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
autoconfig.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
autodiscover.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
mail.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
smtp.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
webmail.mydomain1.com /etc/ssl/mail/imap.mydomain1.com/key.pem /etc/ssl/mail/imap.mydomain1.com/cert.pem
In data/conf/dovecot/sni.conf
$ cat data/conf/dovecot/sni.conf |grep mydomain1.com
local_name imap.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
local_name autoconfig.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
local_name autodiscover.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
local_name mail.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
local_name smtp.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
local_name webmail.mydomain1.com {
ssl_cert = </etc/ssl/mail/imap.mydomain1.com/cert.pem
ssl_key = </etc/ssl/mail/imap.mydomain1.com/key.pem
So for imap and web (webmail) i don't have problems certificates are ok. But not for Postfix, with Postfix it doesn't take certificate for smtp.mydomain1.com but it keep certificate with MAILCOW_HOSTNAME.
I think all is good configured but something doesn't working.
Regards
guidtz
on 3 Aug 2020
So I think I found the solution. What I done ?
First I remove sni.map.db so I try to recreate it :
# postmap -F hash:/opt/postfix/conf/sni.map
postmap: warning: /opt/postfix/conf/sni.map, line 1: open /etc/ssl/mail/imap.domain1.com/key.pem: Permission denied: skipping this entry
postmap: warning: /opt/postfix/conf/sni.map, line 2: open /etc/ssl/mail/imap.domain2.com/key.pem: Permission denied: skipping this entry
....
And a lot of lines like this for all the domain map.
After that I read linux rights
drwxr-xr-x 2 root root 4096 Aug 3 09:27 imap.domain1.com
drwxr-xr-x 2 root root 4096 Aug 3 09:27 imap.domain2.com
....
And I change them
drwxr-xr-x 2 1000 1000 4096 Aug 3 09:24 imap.domain1.com
drwxr-xr-x 2 1000 1000 4096 Aug 3 09:25 imap.domain2.com
And after :
postmap -F hash:/opt/postfix/conf/sni.map
No errors, after that a reboot of the container and ........ no more errors in Thunderbird !
Victory !!!!!
guidtz
on 4 Aug 2020
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] picture](https://avatars3.githubusercontent.com/in/1724?v=4&s=40)
stale[bot]
on 3 Oct 2020
Related issues
patrick7
路
3Comments
constin
路
3Comments
lgleim
路
3Comments
pgollor
路
3Comments
zkryakgul
路
3Comments
Most helpful comment
Actually, that was Markdown's fault. The asterisk were not displayed, but the word between pairs asterisks were italic, so it was obvious that @guidtz did post the asterisk. I edited @guidtz post to make that clear to everyone.