What if you have Multiple (virtual) Domains, and you want each one to use SSL Certificates in Plesk and Postfix so that email clients don't have SSL issues?
If you want each domain to use a valid SSL certificate, you have 2 solutions: use a multi-domain certificate, or set up each domain on a unique IP, and use normal domain-specific certificates. The first solution is terrible: those certificates are usually quite expensive (though you can find inexpensive ones), they will list all of the domains you wish to certify on the same cert, and, most importantly, they are only issued once, so adding just one new domain means getting an entirely new cert.
The better solution is to place each domain on its own IP, and then to match each certificate to its respective IP.
Here's how you do it in postfix.
You will first place your certificates for each domain in the /etc/postfix/ directory (you can also create a /etc/postfix/ssl/ directory) Note: i use Plesk, which uses .pem certificate files, but you can also use .key and .cer files — .pem files are just a concat of .key and .cer file, in that order, meaning that it includes the private key, the domain certificate and the CA and root certificates, in that order
then, you need to modify the end of the master.cf file in /etc/postfix/
originally, the last lines of mine looked like this (probably because i added the last 3 IPs after i set up the server:
1.1.1.1- unix – n n – – smtp -o smtp_bind_address=1.1.1.1 -o smtp_bind_address6= -o smtp_address_preference=ipv4
2.2.2.2- unix – n n – – smtp -o smtp_bind_address=2.2.2.2 -o smtp_bind_address6= -o smtp_address_preference=ipv4
smtp inet n – n – – smtpd
smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes
submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticate d,reject -o smtpd_sender_restrictions=3.3.3.3- unix – n n – – smtp -o smtp_bind_address=3.3.3.3 -o smtp_bind_address6= -o smtp_address_preference=ipv4
4.4.4.4- unix – n n – – smtp -o smtp_bind_address=4.4.4.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4
5.5.5.5- unix – n n – – smtp -o smtp_bind_address=5.5.5.5 -o smtp_bind_address6= -o smtp_address_preference=ipv4
Now, to bind each certificate to its corresponding IP, you do as follows:
1.1.1.1- unix – n n – – smtp -o smtp_bind_address=1.1.1.1 -o smtp_bind_address6= -o smtp_address_preference=ipv4
2.2.2.2- unix – n n – – smtp -o smtp_bind_address=2.2.2.2 -o smtp_bind_address6= -o smtp_address_preference=ipv4
3.3.3.3- unix – n n – – smtp -o smtp_bind_address=3.3.3.3 -o smtp_bind_address6= -o smtp_address_preference=ipv4
4.4.4.4- unix – n n – – smtp -o smtp_bind_address=4.4.4.4 -o smtp_bind_address6= -o smtp_address_preference=ipv4
5.5.5.5- unix – n n – – smtp -o smtp_bind_address=5.5.5.5 -o smtp_bind_address6= -o smtp_address_preference=ipv4
#smtp inet n – n – – smtpd
#smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes
#submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions=1.1.1.1:smtp inet n – n – – smtpd -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem
1.1.1.1:smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem
1.1.1.1:submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert1.pem -o smtpd_tls_key_file=/etc/postfix/cert1.pem2.2.2.2:smtp inet n – n – – smtpd -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem
2.2.2.2:smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem
2.2.2.2:submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert2.pem -o smtpd_tls_key_file=/etc/postfix/cert2.pem3.3.3.3:smtp inet n – n – – smtpd -o smtpd_tls_cert_file=/etc/postfix/cert3.pem -o smtpd_tls_key_file=/etc/postfix/cert3.pem
3.3.3.3:smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert3.pem -o smtpd_tls_key_file=/etc/postfix/cert3.pem
3.3.3.3:submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert3.pem -o smtpd_tls_key_file=/etc/postfix/cert3.pem4.4.4.4:smtp inet n – n – – smtpd -o smtpd_tls_cert_file=/etc/postfix/cert4.pem -o smtpd_tls_key_file=/etc/postfix/cert4.pem
4.4.4.4:smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert4.pem -o smtpd_tls_key_file=/etc/postfix/cert4.pem
4.4.4.4:submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert4.pem -o smtpd_tls_key_file=/etc/postfix/cert4.pem5.5.5.5:smtp inet n – n – – smtpd -o smtpd_tls_cert_file=/etc/postfix/cert5.pem -o smtpd_tls_key_file=/etc/postfix/cert5.pem
5.5.5.5:smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_cert_file=/etc/postfix/cert5.pem -o smtpd_tls_key_file=/etc/postfix/cert5.pem
5.5.5.5:submission inet n – n – – smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_tls_cert_file=/etc/postfix/cert5.pem -o smtpd_tls_key_file=/etc/postfix/cert5.pem
That's it!! (don't forget to comment out the original lines as seen above)
Note: to do the same for POP/IMAP if you use courier-imap, you simply place copies of those .pem files in /usr/share/courier-imap/ (or in the case of Plesk, you place them in /usr/share/ ) and you name them as follows: imapd.pem.xx.xx.xx.xx pop3d.pem.xx.xx.xx.xx — where xx.xx.xx.xx is the respective IP address (the 2 certificates are copies of the same file)
Also: the free startssl certificates work just fine for these purposes.
Hope this helps!