RaspberryPi4B+docker-compose+dovecot+postfix+letsencrypt SNI対応

しげふぁみ

複数ドメインを単一ホストで運用する場合、letsencryptのSSL証明書の扱いが問題になります。「dovecotは複数の証明書を取り扱いできるけど、postfixは難しい・・・」という情報であふれていますが、簡単にできました。

https://tech-memo.net/?p=704

dovecotは、/etc/dovecot/conf.d/10-ssl.confを下記のようにすればよい。

ssl_cert = </etc/letsencrypt/live/doamin1.com/fullchain.pem
ssl_key = </etc/letsencrypt/live/doamin1.com/privkey.pem

local_name doamin1.com {
  ssl_cert = </etc/letsencrypt/live/doamin1.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/doamin1.com/privkey.pem
}
local_name doamin2.com {
  ssl_cert = </etc/letsencrypt/live/doamin2.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/doamin2.com/privkey.pem
}

情報の少ないpostfixについては、本家に次のような記述がある。

The syntax of the lookup value is the same as with the smtp_tls_chain_files parameter (see there for additional details), but here scoped to just TLS connections in which the client sends a matching SNI domain name.

/etc/postfix/main.cf:
#
# The indexed SNI table must be created with “postmap -F”
#
indexed = ${default_database_type}:${config_directory}/
tls_server_sni_maps = ${indexed}sni

/etc/postfix/sni:
#
# The example.com domain has both an RSA and ECDSA certificate
# chain. The chain files MUST start with the private key,
# with the certificate chain next, starting with the leaf
# (server) certificate, and then the issuer certificates.
#
example.com /etc/postfix/sni-chains/rsa2048.example.com.pem,
/etc/postfix/sni-chains/ecdsa-p256.example.com.pem
#
# The example.net domain has a wildcard certificate, and two
# additional DNS names. So its certificate chain is also used
# with any subdomain, plus the additional names.
#
example.net /etc/postfix/sni-chains/example.net.pem
.example.net /etc/postfix/sni-chains/example.net.pem
example.info /etc/postfix/sni-chains/example.net.pem
example.org /etc/postfix/sni-chains/example.net.pem

Postfix Configuration Parameters

上記を参考に、次のように設定するとうまく動作した。

/etc/postfix/main.cf
  tls_server_sni_maps = texthash:/etc/postfix/server_ssl
/etc/postfix/server_ssl(1行に1ドメイン)
  domain1.com /etc/letsencrypt/live/domain1.com/privkey.pem,/etc/letsencrypt/live/domain1.com/fullchain.pem
  domain2.com /etc/letsencrypt/live/domain1.com/privkey.pem,/etc/letsencrypt/live/domain2.com/fullchain.pem
# postmap /etc/postfix/server_ssl
# postfix stop && postfix start

コメントを残す

メールアドレスが公開されることはありません。 が付いている欄は必須項目です