Dovecot, Load Balancing and SSL
Hi Everyone!
I wonder if someone would provide me with some advice. I've been setting up a couple of Postfix servers just for fun. I've got two Postfix servers m1.domain.com and m2.domain.com. I can send and receive mail via both of them. Ive also got Postfixadmin and RoundCube on them.
I introduced a load balancer. Postfixadmin and Roundcube work perfectly. However. When I send mail from Thunderbird. M1 reports that the certificate does not match. It's expecting a certificate for mail.domain.com.
On M1 I thought I would try to specify the location of the SSL when using mail.domain.com. I placed the certificate in the NAS and specified it in the 10-ssl file. I did this as per the docs.
mail.domain.com local_name mail.domain.com { ssl_cert = </nas/ssl/fullchain.pem ssl_key = </nas/ssl/privkey.pem }
It doesn't work. And I'm not entirely sure why M2 works and M1 doesn't. As far as I can see I haven't specified or placed a certificate for mail.domain.com on M2 and searching my bash history doesn't produce anything related to mail.domain.com.
So how can I load balance email connections over my two servers without getting a damn certificate warning?
Any help would be much appreciated.
Thanks.
Hi Everyone!
I wonder if someone would provide me with some advice. I've been setting up a couple of Postfix servers just for fun. I've got two Postfix servers m1.domain.com and m2.domain.com. I can send and receive mail via both of them. Ive also got Postfixadmin and RoundCube on them and I'm replicating the database over both servers.
I introduced a load balancer. Postfixadmin and Roundcube work perfectly. However. When I send mail from Thunderbird. M1 reports that the certificate does not match. It's expecting a certificate for mail.domain.com.
On M1 I thought I would try to specify the location of the SSL when using mail.domain.com. I placed the certificate in the NAS and specified it in the 10-ssl file. I did this as per the docs.
mail.domain.com local_name mail.domain.com { ssl_cert = </nas/ssl/fullchain.pem ssl_key = </nas/ssl/privkey.pem }
It doesn't work. And I'm not entirely sure why M2 works and M1 doesn't. As far as I can see I haven't specified or placed a certificate for mail.domain.com on M2 and searching my bash history doesn't produce anything related to mail.domain.com.
So how can I load balance email connections over my two servers without getting a damn certificate warning?
Any help would be much appreciated.
Thanks.
Hi,
I got around this by setting my mail.domain.com A record to the M1 mail server and requesting a new certificate but by combining all domains into one certificate with
certbot certonly -d m1.domain -d mail.domain -d webmail.domain -d mail.domain -d mail.domain -d mail.domain.com --cert-name m1.domain.com
But this won't help for long because in three months I will need to renew the certificate and the A record for mail.domain.com will be pointing to my balancer. So I don't think it will renew.
Does anyone have any suggestions for this?
leon--- via dovecot skrev den 2024-04-03 22:21:
Does anyone have any suggestions for this?
certbot --apache -d m1.domain.tld -d m2.domain.tld
after this is done you have it ready to be renewed, if you need more loadbalancers add more -d hostnames
put this cert on all loadbalancers so its in sync on all
what problems is remaining ? :)
participants (2)
-
Benny Pedersen
-
leon@relay.gb.net