How to setup several TLS certificates on a PMG relay for different domains?

[Ivan L.]

I have PMG running for relaying messages for 2 mail domains both ways: for instance, domain1.com and domain2.com. All things work like a charm except SMTPS.
I added TLS certificate for domain1.com and now I can use STARTTLS for messages coming into domain1.com, that's great - but if I try to send a message to the user@domain2.com, session drops just after
STARTTLS
MAIL FROM:

It seems to be normal behaviour if I follow the logic: 'we have TLS cert for domain1.com -> server recognizes that I'm trying to send a message for the domain2.com -> Drop'. Please correct me if I'm wrong here. Another problem is that there is only 1 public interface and that's not possible to make a difference between domain1.com and domain2.com...

I'm working on a solution for this issue and there are 2 possible ways (at least):
- add another public interface into PMG and bound domain1.com and domain2.com to dedicated interfaces each
- install another PMG and move domain2.com there

First way seems to be easier as it doesn't require additional resources to be involved - but what to do with second certificate? I didn't try to add another interface but suppose I still be in trouble with TLS certs as PMG allows to add only 1 pmg-tls.pem.
Second one seems like solution but I'm not happy with additional resources and additional maintenance tasks for it. It's easier to manage 1 appliance of course.

Thanks for your replies and opinions!

 

[Stoiko Ivanov]

I added TLS certificate for domain1.com and now I can use STARTTLS for messages coming into domain1.com, that's great - but if I try to send a message to the user@domain2.com, session drops just after
STARTTLS
MAIL FROM:

* How exactly did you test this?
* What's in the PMG journal when you run your tests?

It seems to be normal behaviour if I follow the logic: 'we have TLS cert for domain1.com -> server recognizes that I'm trying to send a message for the domain2.com -> Drop'. Please correct me if I'm wrong here. Another problem is that there is only 1 public interface and that's not possible to make a difference between domain1.com and domain2.com...

In my experience SMTP does not require (and cannot require) that the certificate of the MX matches the recipient domain in any way
(there are single SMTP servers handling mails for many domains - and they have only one hostname and one certificate)

 

[Ivan L.]

Hi Stoiko, thanks for your reply

1. Actually I did 'telnet server 25' and issued several SMTP commands. My friend pointed me that my conclusion wasn't 100% correct as STARTTLS means invitation to establish secured connection but not such connection itself. I agree with him, this conclusion is wrong.
2. I was supposing the same way of how it works with HTTPS, for instance: if you try to open TLS-secured connection with wrong domain name or IP instead of DNS (and without this IP mentioned in the SAN) - you'll get an error. Now I see that I'm wrong here as well, SMTP traffic flows fine for domain2 with the cert of domain1.
I think this thread will be closed as wrong. Thanks for your help.

 

[Stoiko Ivanov]

Actually I did 'telnet server 25'

telnet opens an plain text connection - and once you issued STARTTLS postfix will start speaking TLS with you (which you cannot do (sensibly) via telnet...)

just try sending yourself a testmail from another mailserver

Anyways - glad it seem to have resolved.