CentOS

Hello,
I installed SSL Let's Encrypt certificate on a small VPS and domains work fine with independent SSL certificate and Apache. Unfortunately, the emails for each domain does not work with SSL, due to the certificate mismatch which is a problem of Postfix, this is the VPS software:

Software Versions
Operating system CentOS Linux 7.8.2003
Perl version 5.016003
BIND version 9.11
Postfix version 2.10.1
Apache version 2.4.6
PHP versions 5.4.16, 5.6.25, 7.2.24
Webalizer version 2.23-08
Logrotate version 3.8.6
MySQL version 5.5.65
ProFTPD version 1.35
SpamAssassin version 3.4.0
ClamAV version 0.99.2
Webmin version 1.942
Virtualmin version 6.09
Usermin version 1.791

Postfix version 3.4 works with SNI solving the issue with virtual domains and SSL email using SNI.

Question: Can I safely upgrade Postfix version 2.10.1 to Postfix 3.4 on CentOS 7.8.2003?
Postfix 3.4 is not in base repository, only verrsion 2:2.10.1-9.el7 is.
Thanks and regards.
joejac

Hello,
Is it possible to safely upgrade Postfix version 2.10.1 to Postfix 3.4 on CentOS 7.8.2003?
Is there a tutorial on how to do it?
The problem is that it is not in the repos.
Thanks and regards
joejac

You may have problems with SNI over SMTP, some clients don't support it and some others have a bad/broken implementation.

My suggestion, is to avoid using multiple domains for postfix. Just use the main hostname of the server with its own SSL certificate and ask all users to use that hostname for smtp/imap/pop3 etc use. Of course, your apache may still use SNI for browsers.

Another suggestion is to avoid limiting SSL, since many microsoft servers still use old v1.0 and you will loose mail if you only accept v1.2.

Define safe.

Red Hat backports security fixes to the postfix that they include in RHEL and CentOS uses that postfix.
We get as secure as possible postfix till the EOL of the CentOS with simple yum update.

Compare that to you grabbing postfix from somewhere.
Will it be compatible with base packages that depend on features of base postfix?
Whenever your upstream releases fixes, you have to specifically fetch them and update your system.
That is laborious and fragile.

The "ghettoforge" third party yum repo contains postfix3 3.5 packages in their 'plus' repo.

Thank you all,
Since I do not want to mess with unsupported versions I followed KernelOops (Thanks!) recommendation, and it is working and passing the various tools diagnostics

KernelOops wrote: ↑

2020/06/26 05:47:27

You may have problems with SNI over SMTP, some clients don't support it and some others have a bad/broken implementation.

My suggestion, is to avoid using multiple domains for postfix. Just use the main hostname of the server with its own SSL certificate and ask all users to use that hostname for smtp/imap/pop3 etc use. Of course, your apache may still use SNI for browsers.

Another suggestion is to avoid limiting SSL, since many microsoft servers still use old v1.0 and you will loose mail if you only accept v1.2.

Best regards
joejac

I'm glad it worked!


One little correction about a small mistake I made. I said to avoid limiting SSL, but what I mean is TLS. It is strongly encouraged to disable SSL (all versions) and only allow TLS v1.0, v1.1, v1.2 and v1.3.

What I wanted to say, is not to disable TLS v1.0, since that is the only version supported by many microsoft email servers. Even some yahoo.com servers still try to connect with SSLv3 and fail one after the other, until one of them finally makes a TLS v1.0 connection (but not higher!).