Tengo problemas para configurar postfix para escuchar en algunas (3 en realidad) direcciones IP, en el puerto 25, usando los certificados SSL correctos.
Antecedentes: estoy usando Debian 11, con Postfix (v 3.5.6 del repositorio)/Dovecot e ISPConfig como panel de alojamiento. Tengo algunas direcciones IP que funcionan bien, hay nombres de dominio con el registro A apuntando a la IP y revDNS correcto para cada IP. Cada dominio obtuvo el certificado correcto generado para su uso. El firewall está configurado correctamente y casi todo funciona como era de esperar.
Mi estado actual es que Postfix escucha correctamente en los puertos 465 y 587 en todas las direcciones IP definidas (incluida 127.0.0.1) y también responde con los certificados correctos en esos puertos. Pero en el puerto 25 siempre se usa el certificado del primer dominio, incluso cuando se conecta a otras IP (nombres de dominio). Además, Dovecot utiliza certificados (pero configurar Dovecot fue muy fácil para eso y funciona como debería con IMAP y POP3). No sé dónde me equivoco al configurar Postfix para eso. Lo único que no quiero hacer es postfix "múltiples instancias", porque ISPConfig no las admite en absoluto (ni siquiera admite más de una IP para Dovecot/Postfix, ni ningún tipo de SNI para ellos) .
Mi configuración actual se ve así: main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = /usr/share/doc/postfix
# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2
# TLS parameters
#
# smtpd_tls_cert_file = /etc/postfix/smtpd.cert
# smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
myhostname = domain1.com
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
myorigin = /etc/mailname
mydestination = domain1.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
# OEYG inet_interfaces = all
inet_interfaces = 127.0.0.1 xx.xx.xx.x1 xx.xx.xx.x2 xx.xx.xx.x3
# ORYG inet_protocols = all
inet_protocols = ipv4
html_directory = /usr/share/doc/postfix/html
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_recipient_access mysql:/etc/postfix/mysql-virtual_policy_greylist.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, reject_unknown_helo_hostname, permit
smtpd_sender_restrictions = permit_mynetworks, check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/rbl_override, permit_dnswl_client swl.spamhaus.org, permit_dnswl_client ip4.white.polspam.pl, permit_dnswl_client ip6.white.polspam.pl, reject_rbl_client spam.spamrats.com, reject_rbl_client b.barracudacentral.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client bl.spameatingmonkey.net, reject_rbl_client all.s5h.net, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
owner_request_special = no
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = no
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
authorized_flush_users =
authorized_mailq_users = nagios, icinga
smtpd_forbidden_commands = CONNECT,GET,POST,USER,PASS
address_verify_sender_ttl = 15686s
smtp_dns_support_level = dnssec
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
message_size_limit = 0
Mi maestro.cf:
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
# smtp inet n - y - - smtpd
127.0.0.1:smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp-local
-o smtp_helo_name=localhost
-o myhostname=localhost
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtp inet n - y - - smtpd
-o syslog_name=postfix/smtp-d1
-o smtp_helo_name=domain1
-o myhostname=domain1
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x2:smtps inet n - y - - smtpd
-o syslog_name=postfix/smtp-d2
-o smtp_helo_name=domain2
-o myhostname=domain2
-o smtpd_tls_cert_file=/etc/domain2.crt
-o smtpd_tls_key_file=/etc/domain2.key
xx.xx.xx.x3:smtps inet n - y - - smtpd
-o syslog_name=postfix/smtp-d3
-o smtp_helo_name=domain3
-o myhostname=domain3
-o smtpd_tls_cert_file=/etc/domain3.crt
-o smtpd_tls_key_file=/etc/domain3.key
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#
127.0.0.1:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtp_helo_name=localhost
-o smtp_bind_address=127.0.0.1
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
-o myhostname=localhost
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x1:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtp_helo_name=domain1
-o smtp_bind_address=xx.xx.xx.x1
-o myhostname=domain1
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtp_helo_name=domain2
-o smtp_bind_address=xx.xx.xx.x2
-o myhostname=domain2
-o smtpd_tls_cert_file=/etc/domain2.crt
-o smtpd_tls_key_file=/etc/domain2.key
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtp_helo_name=domain3
-o smtp_bind_address=xx.xx.xx.x3
-o myhostname=domain3
-o smtpd_tls_cert_file=/etc/domain3.crt
-o smtpd_tls_key_file=/etc/domain3.key
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_tls_auth_only=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
## smtps inet n - y - - smtpd
## -o syslog_name=postfix/smtps
## -o smtpd_tls_wrappermode=yes
## -o smtpd_sasl_auth_enable=yes
## -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
127.0.0.1:smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtp_helo_name=localhost
-o myhostname=localhost
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
xx.xx.xx.x1:smtps inet n - n - - smtpd
-o syslog_name=postfix-d1/smtps
-o smtp_helo_name=domain1
-o myhostname=domain1
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x2:smtps inet n - n - - smtpd
-o syslog_name=postfix-d2/smtps
-o smtp_helo_name=domain2
-o myhostname=domain2
-o smtpd_tls_cert_file=/etc/domain2.crt
-o smtpd_tls_key_file=/etc/domain2.key
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
xx.xx.xx.x3:smtps inet n - n - - smtpd
-o syslog_name=postfix-d3/smtps
-o smtp_helo_name=domain3
-o myhostname=domain3
-o smtpd_tls_cert_file=/etc/domain3.crt
-o smtpd_tls_key_file=/etc/domain3.key
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
domain1-out unix - - n - - smtp
-o smtp_bind_address=xx.xx.xx.x1
-o smtp_helo_name=domain1
-o syslog_name=postfix-domain1
-o smtpd_tls_cert_file=/etc/domain1.crt
-o smtpd_tls_key_file=/etc/domain1.key
domain2-out unix - - n - - smtp
-o smtp_bind_address=xx.xx.xx.x2
-o smtp_helo_name=domain2
-o syslog_name=postfix-domain2
-o smtpd_tls_cert_file=/etc/domain2.crt
-o smtpd_tls_key_file=/etc/domain2.key
domain3-out unix - - n - - smtp
-o smtp_bind_address=xx.xx.xx.x3
-o smtp_helo_name=domain3
-o syslog_name=postfix-domain3
-o smtpd_tls_cert_file=/etc/domain3.crt
-o smtpd_tls_key_file=/etc/domain3.key
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -f ${sender} -d ${user}@${nexthop}
Al iniciar postfix en /var/log/mail.log hay:
postfix/postfix-script[2714262]: starting the Postfix mail system
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x2:smtps" ([xx.xx.xx.x2]:465) -- using the last ent
ry
postfix/master[2714264]: warning: duplicate master.cf entry for service "xx.xx.xx.x3:smtps" ([xx.xx.xx.x3]:465) -- using the last ent
ry
postfix/master[2714264]: daemon started -- version 3.5.6, configuration /etc/postfix
Este registro es extraño para mí, porque el puerto 465 funciona bien en todos los nombres de dominio.
Para realizar pruebas, estoy usando otro servidor y estos comandos:
openssl s_client -starttls smtp -showcerts -connect domainX:25 -servername domainX
openssl s_client -starttls smtp -showcerts -connect domainX:587 -servername domainX
openssl s_client -showcerts -connect domainX: 465 -nombre del servidor dominioX
Respuesta1
Tu master.cfcontiene errores tipográficos.
Parece que pretendía configurar smtpdservicios (servidor) en el envío del puerto (587), smtpd en el puerto smtps (465), smtpd en el puerto smtp (25) y smtptransportes (cliente) para cada dominio.
Pero la primera aparición de xx.xx.xx.x2:smtpsy la primera aparición de xx.xx.xx.x3:smtpsno coincide con ese esquema. Parece que querías escribir smtpallí. La segunda aparición de cada uno, respectivamente, se parece a la prevista smtps(como lo demuestra la opción smtpd_tls_wrappermode).
Después de solucionar este problema y reiniciar postfix, llame ss -tulpnpara verificar qué combinaciones de IP/puerto está escuchando realmente postfix. Espero que cada uno de los puertos 25, 587 y 465 se ofrezcan en cuatro direcciones IPv4 (incluido el loopback).
Por cierto, especificar smtpd_*opciones en el smtpservicio no tiene ningún efecto. Sus smtpservicios de dominio* fuera (¡cliente!) no presentan certificados al momento de la entrega.
Además, todo el esfuerzo parece... muchos problemas sin ningún beneficio. Es un servidor, ¿por qué pretende ser 3? Al aceptar correo entrante en diferentes lugares, solo dificulta el diagnóstico.
Respuesta2
Con ISPConfig..
puedes hacer esto más fácil..
Cree un servidor de correo "base" en los sitios web. *(Utilizo este para todos mis clientes en el correo web. Así que creé mail.my-hosting-domain.tld.
agréguele letsencrypt para obtener los certificados correctos. Ahora agregue un nuevo nombre de host de correo.
letsencrypt generará un certificado de host múltiple. hecho.
Y, por supuesto, haga coincidir el registro DNS necesario con esto. Cualquier cliente puede ir a mail.there-domain.tld y postfix muestra todos los nombres de host correctos en los certificados.