[BlueOnyx:25010] Re: TLS
Michael Stauber
mstauber at blueonyx.it
Tue Jul 20 14:45:17 -05 2021
Hi Colin,
> Presumably if a vsite has aliases these will also be
> included in the SSL cert, so if the vsite was
> mail.mydomain.com with an alias of smtp.mydomain.com
> they could use either mail or smtp in their settings?
Correct.
The directory /etc/dovecot/conf.sni.d/ has individual config files for
each Vsite with SSL and if an SSL cert has multiple DNS entries it's
valid for, then all will be listed:
[root at 5210r ~]# cat /etc/dovecot/conf.sni.d/site1.conf
# SNI config file for 5210r1.smd.net
local_name 5210r1.smd.net {
ssl_cert = </home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
ssl_key = </home/.sites/site1/wwwroot/certs/key
}
local_name sub1.5210r1.smd.net {
ssl_cert = </home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
ssl_key = </home/.sites/site1/wwwroot/certs/key
}
local_name sub2.5210r1.smd.net {
ssl_cert = </home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
ssl_key = </home/.sites/site1/wwwroot/certs/key
}
local_name sub3.5210r1.smd.net {
ssl_cert = </home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
ssl_key = </home/.sites/site1/wwwroot/certs/key
}
Same for Postfix, where /etc/postfix/vsite_ssl.map lists every single
domain name that all the individual certs are valid for and associates
those names with the correct certificate files:
[root at 5210r ~]# cat /etc/postfix/vsite_ssl.map|grep 5210r1
5210r1.smd.net /home/.sites/site1/wwwroot/certs/key
/home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
sub1.5210r1.smd.net /home/.sites/site1/wwwroot/certs/key
/home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
sub2.5210r1.smd.net /home/.sites/site1/wwwroot/certs/key
/home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
sub3.5210r1.smd.net /home/.sites/site1/wwwroot/certs/key
/home/.sites/site1/wwwroot/certs/nginx_cert_ca_combined
So this is all covered.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list