How to configure email domains (The target principal name is incorrect)

Hi guys!

I need some help regarding configuration of mail domains.

I named my server as server1.mydomain.com and added several domains, eg domain1.com, domain2.com....
I created all needed DNS records, as well as mail.domain1.com, mail.domain2.com, ...

When in email client I use mail.domain1.com I get "The target principal name is incorrect" for certificate, because postfix and dovecot use certificate generated for server1.mydomain.com. If in email clients I put server1.mydomain.com for server address, everything is ok (which is expected).
I could live with using server1.mydomain.com at the moment, but if I expand cluster and move domains to other servers, you have to bother updating each client address eg from server1. to server2.

Anyway, I would like to use proper mail. address for each domain, and I can't make it work.

What are my options here?

 

Thanks for the answer, Till!

The second link you shared only explains configuring for one mail. address.
In may case that would be mail.mydomain.com, and I already tried this (it works, it is kinda same as using server1.mydomain.com).
Also, this scenario have problem when you migrate user to another server in cluster mail.mydomain.com won't point to proper IP any more.

What I was looking for is to have multiple mail. addresses (mail.domain1.com, mail.domain2.com, mail.domain3.com, etc) to be used for each client (eg. in Outlook) without throwing that cert error. This way migrating user to other server means updating DNS records for mail. to point to new IP.

(Sorry, I have only cPanel experience, I took this feature for granted )

 

for that

you'd need to use postfix SNI
you can do that, but you'd have to configure it manually, ispconfig doesn't support it.

 

I reckon you say that because of LE limits?

You also have to if you want separate certificates for your customers and not have all bundled into one certiticate.
(why I use it)

 

I thought so too.

One customer comes close to that in one of the webservers
With domain.tld and www.domain.tld you wll be limited to half.

 

They are alias domains. Alias domains only get separated when a (seo) redirect is done on the alias. Plain aliases are just added behind the main domain in vhost config.
In this case it's a vhost with a lot of aliases that are redirected in the main vhost settings only to another maindomain.tld vhost.
So adding another vhost and redirecting that in the main vhost settings too would extend it with another 50 domains.
A lot less work than redirecting every alias individually.
But I don't expect the limit to be reached in full any time soon.

 

Thanks guys, I managed to make it work!
My bad, I didn't read carefully trough that guide.

Fast recap for those who found this thread:

1. Add needed mail domains
2. Update DNS records ("mail" A record pointing to your_IP, MX record: mydomain.com. mail.mydomain.com.; repeat for all clients)
3. Create website server1.mydomain.com, enable SSL and Let's Encrypt SSL
4. Create alias domains for website server1.mydomain.com: mail.mydomain.com, mail.client1.com, mail.client2.com (no redirects, keep "Don't add to Let's Encrypt certificate" unchecked)
5. Link certificates from your website server to /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key (check the guide)
6. Restart postfix/dovecot. You will have to restart them every time you add alias domain!

And no more cert warnings!