Re: postfix for 2 domains on 1 vps 1 ip

To: netbsd-users <netbsd-users%netbsd.org@localhost>
Subject: Re: postfix for 2 domains on 1 vps 1 ip
From: Bob Proulx <bob%proulx.com@localhost>
Date: Fri, 1 Jan 2021 16:26:09 -0700

Mayuresh wrote:
> I am faced with a requirement to merge the mail servers running on 2 VPSes
> into 1, with a single ip address on NetBSD 9.1 amd64.

Generally this should not be a problem for a single server to handle
email for multiple domains.  Assuming that one FQDN is chosen to be
the exit node.  Then all is easy and straight forward.

> I searched around, mainly tls certificate of both domains being different
> looks a bit gray to me. Some posts say it is possible, while some cite
> issues with it.

STARTTLS for SMTP is opportunistic unless specifically configured for
the point-to-point connection between sites.  Therefore most SMTP
servers use a self-signed certificate by default and without validity
checking.  Many use CA valid certificates because that is also easy to
set up.  But for the most part SMTP is not a high security transfer
protocol when connecting between random servers.  Only when
specifically configured between two cooperating servers.

In any case the authoritative documentation is better than any summary
I might make.

    http://www.postfix.org/TLS_README.html

> I can get into experimenting, but thought of getting a word of advice on
> the overall idea, feasibility, alternatives etc.

I think you are asking if you can make one IP address appear as if it
is the two original servers.

    http://www.postfix.org/MULTI_INSTANCE_README.html

At some level of outbound direction traffic that is possible, but my
opinion is that it is not worth the effort.  And not for the inbound
direction.  That would require multiple IP addresses and binding to
the specific one individually.  One of those questions where "if you
have to ask, then you shouldn't do it" types of things.

Instead I would configure one server that can handle multiple domains.

    http://www.postfix.org/VIRTUAL_README.html

> If performance isn't critical, purely from networking point of view, would
> it be possible to run one of the domains in a VM so that both postfix
> instances can be watertight.

> Alternatively if getting 2 ip addresses is considered as an option would
> it ease anything?

Running VMs with their own address would make them look exacty like
different hosts.  And the extra layers would add to the security.

Postfix is very secure in a standard configuration.

> [Similar question would arise for http, but as of now one domain uses http
> and the other uses https, so that should be manageable.]

My opinion is that this just sets things up to be a problem later when
the one domain that uses http decides that https is now needed.  And
for when the https domain decides that they would like to switch to
Domain Validation certificates using Let's Encrypt on http.

SNI for HTTP is very well supported now.  I would just use one host,
one IP, and multiple HTTP Virtual Hosts.

Bob

Follow-Ups:
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh
- Re: postfix for 2 domains on 1 vps 1 ip
  - From: Jason Mitchell

References:
- postfix for 2 domains on 1 vps 1 ip
  - From: Mayuresh

Prev by Date: Re: postfix for 2 domains on 1 vps 1 ip
Next by Date: Re: postfix for 2 domains on 1 vps 1 ip
Previous by Thread: Re: postfix for 2 domains on 1 vps 1 ip
Next by Thread: Re: postfix for 2 domains on 1 vps 1 ip
Indexes:

Home | Main Index | Thread Index | Old Index