How to setup several TLS certificates on a PMG relay for different domains?

Ivan L.

New Member
Jun 29, 2023
5
1
1
I have PMG running for relaying messages for 2 mail domains both ways: for instance, domain1.com and domain2.com. All things work like a charm except SMTPS.
I added TLS certificate for domain1.com and now I can use STARTTLS for messages coming into domain1.com, that's great - but if I try to send a message to the user@domain2.com, session drops just after
STARTTLS
MAIL FROM:

It seems to be normal behaviour if I follow the logic: 'we have TLS cert for domain1.com -> server recognizes that I'm trying to send a message for the domain2.com -> Drop'. Please correct me if I'm wrong here. Another problem is that there is only 1 public interface and that's not possible to make a difference between domain1.com and domain2.com...

I'm working on a solution for this issue and there are 2 possible ways (at least):
- add another public interface into PMG and bound domain1.com and domain2.com to dedicated interfaces each
- install another PMG and move domain2.com there

First way seems to be easier as it doesn't require additional resources to be involved - but what to do with second certificate? I didn't try to add another interface but suppose I still be in trouble with TLS certs as PMG allows to add only 1 pmg-tls.pem.
Second one seems like solution but I'm not happy with additional resources and additional maintenance tasks for it. It's easier to manage 1 appliance of course.

Thanks for your replies and opinions!
 
I added TLS certificate for domain1.com and now I can use STARTTLS for messages coming into domain1.com, that's great - but if I try to send a message to the user@domain2.com, session drops just after
STARTTLS
MAIL FROM:
* How exactly did you test this?
* What's in the PMG journal when you run your tests?

It seems to be normal behaviour if I follow the logic: 'we have TLS cert for domain1.com -> server recognizes that I'm trying to send a message for the domain2.com -> Drop'. Please correct me if I'm wrong here. Another problem is that there is only 1 public interface and that's not possible to make a difference between domain1.com and domain2.com...
In my experience SMTP does not require (and cannot require) that the certificate of the MX matches the recipient domain in any way
(there are single SMTP servers handling mails for many domains - and they have only one hostname and one certificate)
 
Hi Stoiko, thanks for your reply

1. Actually I did 'telnet server 25' and issued several SMTP commands. My friend pointed me that my conclusion wasn't 100% correct as STARTTLS means invitation to establish secured connection but not such connection itself. I agree with him, this conclusion is wrong.
2. I was supposing the same way of how it works with HTTPS, for instance: if you try to open TLS-secured connection with wrong domain name or IP instead of DNS (and without this IP mentioned in the SAN) - you'll get an error. Now I see that I'm wrong here as well, SMTP traffic flows fine for domain2 with the cert of domain1.
I think this thread will be closed as wrong. Thanks for your help.
 
Actually I did 'telnet server 25'
telnet opens an plain text connection - and once you issued STARTTLS postfix will start speaking TLS with you (which you cannot do (sensibly) via telnet...)

just try sending yourself a testmail from another mailserver

Anyways - glad it seem to have resolved.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!