I've successfully setup courier+postfix to work with multiple email domains on the same server. At the moment I have these lines in /etc/courier/imap-ssl:
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs
Changing them to this works great:
TLS_CERTFILE=/home/certs/certs/certificate.pem.ww2.endofstars.com
TLS_TRUSTCERTS=/home/certs/chains/endofstars.crt
The first contains the cert from the authority and my private key. The second has the certificate chain. Thunderbird doesn't show my customers the "No legetimate business will used unsigned certs" message, and running:
openssl s_client -connect ww2.endofstars.com:993
returns this, which makes me think it's working. But it's downhill from there. When I change my TLS_CERTFILE setting to:
TLS_CERTFILE=/home/certs/certs/certificate.pem
Thunderbird once again complains about an invalid cert. This file doesn't exist, but the imap-ssl docs say that it should automatically append the host name in order to find the certificate.pem.ww2.endofstars.com file. Using openssl to query it again shows this error, and mail.log reports:
imapd-ssl: couriertls: /home/certs/certs/certificate.pem: error:02001002:system library:fopen:No such file or directory
It's not appending the host name. The comments in imap-ssl say the multi-domain approach is "GnuTLS only", but I'm not sure how to tell if I have it installed. Running ldd /usr/sbin/couriertcpd shows:
linux-vdso.so.1 => (0x00007fffa75ff000)
libgdbm.so.3 => /usr/lib/x86_64-linux-gnu/libgdbm.so.3 (0x00007fcff8433000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcff8076000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcff8640000)
But I don't know if I'm doing it right, or it it would show whether gnutls is used. I'm on ubuntu server 12.04.
You can find out which SSL/TLS library Courier is using by typing
ldd /usr/bin/couriertls
(this could be a different path on another distribution).You'll see that on Ubuntu 12.04, it's compiled against OpenSSL (as the package dependencies also indicate: see
courier-ssl
andcourier-imap-ssl
). If you want it to be compiled against GnuTLS, you'll have to download the package source (apt-get source courier-ssl
) and adapt its configuration to use GnuTLS instead (you'll likely to have to install the GnuTLS and gnutls-dev packages too). You may need to read the Debian/Ubuntu packaging documentation to find which options to change. The configuration files would be undercourier-0.66.../debian
.OpenSSL also supports Server Name Indication now (which is what you want to use for this), but this might not be supported in Courier yet (I'm not sure). This message seems to indicate it might happen in future versions.