I run a single domain under the Open Source Edition, v8.0.3 and ran into a situation where I need to be able to support verified TLS. I already had a commercial cert installed with the common name set to match the server's CNAME (webmail.mydomain.com) - which works great from a web-front-end user perspective, but isn't useful for TLS since the canonical name of the server is different (aegir.mydomain.com). Without doing a massive reconfiguration, what I needed was the ability to load a separate cert for Postfix - and this doesn't appear to be supported functionality.

I did some searching and basically found a lot of people asking for the same or similar functionality (mostly related to running virtual domains but needing a particular cert for TLS) - but nobody seems to have posted an answer.

So I thought I'd post my solution.

First, I can't guarantee that this will work for you and it's entirely possible that this will badly break things for you. Proceed at your own risk and be sure to have a backup before you begin. I can't / won't support this approach, and you are entirely on your own should you choose to travel this path.

Next, this may cause problems when trying to apply updates (I haven't tried) and if updates apply without issue, they will almost certainly clobber these configuration changes. You've been warned.

So here are the steps I got to make this work:

1) Become root at the command line.



2) Make a directory somewhere for your separate Postfix cert with something like:

# mkdir -p /etc/postfix/ssl



3) cd into the directory you just made and generate a CSR with something like:

# cd /etc/postfix/ssl; openssl req -newkey rsa:2048 -nodes -keyout smtp.zimbra.key -out smtp.zimbra.csr

* Make sure the Common Name is set to the FQN of your mail server.

* Don't set a challenge passphrase. Documentation I found while trying to get this to work indicated that Postfix needs an unencrypted cert. I can confirm that my first go-around *with* a password-protected cert did NOT work; the second go-around *without* a password DID work. Without going further on the matter, I'll simply mention that it's generally a bad idea to use a cert that's not password-protected.



4) Take the resulting CSR to your CA and generate an Apache-style crt.



5) Copy (and optionally rename) your crt files (including any intermediate cert bundles) to the directory you made above. When you're done, you should have something like:

# pwd; ls -lh
/etc/postfix/ssl
total 20K
-rw-r--r-- 1 root root 3.2K 2013-08-21 10:05 CA.crt
-rw-r--r-- 1 root root 1.9K 2013-08-21 10:04 smtp.zimbra.crt
-rw-r--r-- 1 root root 1.2K 2013-08-21 09:44 smtp.zimbra.csr
-rw-r--r-- 1 root root 1.7K 2013-08-21 09:44 smtp.zimbra.key

* Ideally, these files wouldn't be world-readable (especially the key file). For sure, the postfix user will need to be able to read these files, and the zimbra user probably needs to be able to read them as well. I'll leave it to you to adjust your ownerships and permissions accordingly and as you see fit, but note that the permissions and ownerships you see in my example are probably NOT the ones you want.



6) If I understand correctly, you're supposed to be able to set your Postfix parameters with zmlocalconfig (in fact, Zimbra will absolutely overwrite the parameters on restart), but I find that for on-the-fly updates I need to set these parameters with both zmlocalconfig *and* with postconf.

Additionally, there seems to be some schizophrenia between Zimbra 8.0.3 and Postfix 2.10 and again with Postfix 2.10 and itself. I find that in some cases I need to set parameters for smtp but not smtpd, in some cases vice versa, and in some cases, I have to set both.

Your milage may vary.

So with that all said, now set Postfix to use your new certs:

# su - zimbra
$ zmlocalconfig -e postfix_smtpd_tls_key_file=/etc/postfix/ssl/smtp.zimbra.key
$ zmlocalconfig -e postfix_smtpd_tls_cert_file=/etc/postfix/ssl/smtp.zimbra.crt
$ zmlocalconfig -e postfix_smtp_tls_CAfile=/etc/postfix/ssl/CA.crt
$ zmlocalconfig -e postfix_smtpd_tls_CAfile=/etc/postfix/ssl/CA.crt
$ postconf -e smtpd_tls_cert_file=/etc/postfix/ssl/smtp.zimbra.crt
$ postconf -e smtpd_tls_key_file=/etc/postfix/ssl/smtp.zimbra.key
$ postconf -e smtp_tls_CAfile=/etc/postfix/ssl/CA.crt
$ postconf -e smtpd_tls_CAfile=/etc/postfix/ssl/CA.crt
$ zmmtactl restart



7) Verify your configuration; I use TLS Receiver Test , but lots of tools are available to you (including simple log inspection).