Certbot/postfix smtp with Multiple Domains

Trying to send emails to recipients on gmail and such that require secure smtp from a local MX.
certbot install worked fine for the webserver and tested OK.
I would like to use the certs for sending emails ONLY with a local MX using postfix on Centos 7
It would be really nice to have them originate from:
user@example.com and
user@different.com
For sure postfix is complex, and that is not an issue. The issue is trying to send mail from one domain website with enough security to get into gmail or yahoo as recipients.
It looks easy enough to do using one domain as the sender, but not two or more.
I really don’t care if the emails are actually secure/DNS spoofed, I just need the recipients to accept them.
EDIT: the client would be php on the server.
Thanks in advance.

Don’t confuse the sending users domains (which can be many) and the sending servers domain (which should only be one).
Getting Gmail or Yahoo to accept your emails involves the sending server having an FQDN that is trusted, is sending emails from an IP that is not listed and uses TLS/DKIM/SPF/etc.

But all of that has very little to do with certbot/LetsEncrypt.
Getting a cert is relatively simple - certbot-auto makes it very simple.
Using that cert requires understanding the program that will be using it (postfix) and how to get it to use the cert.
Updating the cert in an automated fashion from anything outside of a simple webserver may require some additional thought and/or research - but the Internet is full of knowledge and experience; all you have to do is “google” search for it.

Or, did I miss the question?

To send mail securely, you don’t need a certificate at all.

To receive mail securely, you need a certificate for the MX server(s) only.

e.g. if you have an example1.com zone with

example1.com.  MX  300    10 mx1.example2.com
example1.com.  MX  300    20 mx2.example2.com

you would need a certificate on the mx1.example2.com and mx2.example2.com servers matching those names, but those MX servers would not require a certificate for the example1.com domain they just send and receive mail for.

this is not a question that can be answered as its misleading and confusing

I suggest the you follow the approach below

I would like: advice/links to articles/clarification

My end state is:

I have a xxxx that needs to send xxxxx
Each user on my system has their own xxxxx
etc

The technology in use is

Posfix SMTP GMAIL YAHOO
A PHP script will be the mail client will connect to the local SMTP server (acting as relay/mta etc)
How do i configure xxxx to connect securely to yyyyyy

Andrei

At least you saw a question...
I missed it altogether.
BTW, exactly what was the question?

Yes it is confusing.
The question first:
How can I send emails to people@gmail.com using the certs I got using certbot/letsencrypt, from one machine that hosts two or more websites?
The issues:

  1. Gmail requires that you have SASL authentication and SLS encryption in order to send mail TO it.
  2. I need to send from domain1 with a cert from domain 1 with a return address of sender@domain1.com
  3. I need to send from domain 2 with a cert from domain 2 with a return address of sender@domain2.com

The setup:
I have LAMP on Centos 7 with a couple domains and letsencrypt certs for each. Postfix was installed by default as the smtp mail program.
Details:
I would like to send emails to confirm memberships for bulletin boards, and it would look stupid to send emails to snowblowers.com members from webmaster@deathvalley.com.
Again, it is not possible possible to send confirmations to gmail users without a real domain and a real cert, blessed by a real CA such as certbot.
So I have the certs and domains. I don’t want to receive emails on the webserver, so that is not an issue.
Here is how to do it from one domain on one server:
secure postfix letsencrypt
But I have two domains on one server.
And of course the letsencrypt certs are in a bundle.

Another poster has already tried to tell you this, but I guess it can’t hurt to try once more.

Delivering email to Google Mail users doesn’t involve your TLS certificates, only theirs (and their certificates are fine). If you’re unable to deliver mail to GMail or it gets marked as spam, that’s not because of TLS certificates or the lack of them in your own MX.

Anyway, if you do want TLS certificates for the Postfix SMTP server (and there’s no harm in that) what you need to do is ask for a single certificate which has both names in it. Postfix can then happily present this certificate. Let’s Encrypt is happy to issue certificates for up to 100 names. If you have used the Certbot software, you can simply pick more than one name or use the -d name1.example.com -d name2.example.com form of the command to have two names in a certificate.

The correct thing is for the certificate to be in the name of the MX server, not the name of the domain. But it won’t make a big difference. Whereas web browsers are pretty hot on correct certificates, most mail delivery systems don’t care much, after all in the old days email was delivered with no security at all, so anything is better. As a result on the MX actually even if your certificate is garbage things will generally work fine.

And I go back to my very first sentence on my first post.
You don't seem to understand how email works.
If it worked the way you think, services like Gmail wouldn't exist.
Again, you first need to understand that the sender (email address) and the service are separate.

#1 I must completely disagree here. You must be thinking about Gmail users relaying emails through Gmail.
#2 Users from domain1 only need to allow ESP1 the right to send on their behalf (via SPF).
#3 Users from domain2 only need to allow ESP1 the right to send on their behalf (via SPF).

And to clarify on #2 and #3, Gmail manages millions of email accounts for countless domains.
Do you really think all those emails go out from individually named servers and TLS certs?
Every single Gmail outbound email server is from the domain google.com - yes all of them.

Hey I really appreciate you all responding. Please be patient as I have spent days looking into this.

I realize now that gmail does not require certs for sending their users email from my server vs. relay thru gmail.

I don't understand your terminology. I found the SPF website and will look into that.
BTW These are not users, they are simply php scripts running up in /var/www/html/domain1 as apache:apache

Then the only question is how to send mail from user apache group apache and make it look like it came from domain1 or domain2? You no doubt have posted the answer but I just don't understand

I do have two domains and certs for those domains on the webserver from certbot. They point to the correct directories i.e. /var/www/html/domain1 and /var/www/html/domain2. I even have subdomains for domain1.com and www.domain1.com etc., and MX records with the DNS

To send mail from addresses ending @domain1.com:

  1. You MUST have a reverse DNS entry with your ISP mapping your server to a real domain, something other than the default ISP-provided one that embeds your IP address. (It does not have to be at the sending domain, any valid one you own is fine.) Receiving mail servers often reject messages from servers that cannot be looked up with reverse DNS or if the reverse DNS resolves only to an ISP-assigned domain.

  2. If domain1.com has an SPF record, the administrator of that domain MUST add your server’s IP to their SPF record.

  3. If domain1.com uses DKIM, you SHOULD generate a DKIM selector and have the administrator for domain1.com add it to their DNS. While a SHOULD, skipping this step greatly increases the chances your mail will end up in the recipient’s spam folder.

That’s it! If all three of those things are taken care of, you should have no trouble sending mail as the domain.

Note that you will be unable to receive mail at the domain unless the domain administrator sets up some kind of forwarding. So you should be extra careful to only send e-mail to valid e-mail addresses, as you will be unable to receive delivery notifications if they fail. Excessive bounces may result in mail being rejected, with no notice to you since you can’t receive mail at the domain. For this reason, most e-mail service providers suggest using a subdomain they can receive mail at instead, so they can process bounce messages.

Hopefully this helps get you started, but we have veered far from discussion of TLS certificates, so if you have problems implementing this advice, I suggest you ask on a more appropriate forum, such as the postfix-users mailing list.

Or if this is all too complicated for you, mailgun.com or sendgrid.com both have a free forever tier. They take care of item 1 and make item 2 and 3 super easy.

Realized that during the last post - no need to encrypt, no need for you guys to get involved.
Thanks for all the help.

Good comment about bouncing I’ll test it.
All this is on my server with a static IP and the domains all point straight here including A and MX records from 1&1 So I’m guessing the RDNS should point right here.

you guys are getting way ahead of yourself

A) do you have a google account with your domain - you can use your own domain as long as you point your records to google and pay the google app fees (that is the first challenge) https://www.google.com/gmail/about/for-work/

B) If you have your domain configured to work with gmail you can use one of two methods to connect to google SMTP servers to send emails. IMPLICILTY Secure or STARTLS.

C) DKIM and SPF are OPTIONAL extra security but are not REQUIRED to make gmail work.

Again, it is not possible possible to send confirmations to gmail users without a real domain and a real cert, blessed by a real CA such as certbot.

Absolutely wrong. You can obtain a gmail address or you can transfer your own domain. To send an email you do not require a certificate for a CA.

Have a look at an example of how to configure GMAIL https://developers.google.com/gmail/api/quickstart/php

So the question is: are you hoping to use a google SMTP relay or your you postfix server. If you are using your own postfix server

Once again you should have taken time to explain all the components clearly so people could advise correctly

Andrei

It is still unclear if the intent is to send as a Gmail user or the intent is simply to send emails to Gmail users.
Or maybe it’s both…

Thanks rg305.
At the moment the intent is only to send email to gmail users, not relay thru gmail. Thus a cert is not required and thus this is not the correct forum to discuss it. I am going to take it up on a forum more relevant to the topic.

My own postfix server. I have had a look at your link and it is helpful. Again, I am going to bring this up on a different forum because there is no need to encrypt outgoing email to google, yahoo, etc. since I am using my own MX on the local server.
Appreciate all the help.

It's a good thing for user privacy if you do, and Gmail may provide a security indication in its UI showing whether you did or not. :slight_smile: (Users who receive e-mail from you may be warned by Gmail if the e-mail wasn't encrypted in transit with STARTTLS.) However, it isn't required, and either way sending mail in that direction doesn't require you to have a certificate, as was discussed earlier in the thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.