If you are in position that you need multiple SSL certificates for different domains on single mail server, you can do it with SNI. Of corse, on very old versions this is not supported. Check documentation first, if its supported for your version of Dovecot and Postfix.
Dovecot:
In case of incoming mailserver Dovecot it’s easy as listed bellow. I made file ssl-sni.conf in which I add SNI configurations for my domains. Then I included ssl-sni.conf in main dovecot config.
Create ssl-sni.conf and add your SNI definitions in it:
local_name mail.domain1.com {
ssl_cert = </etc/ssl/certs/domain1/fullchain.pem
ssl_key = </etc/ssl/certs/domain1/privkey.pem
}
local_name pop3.domain2.com {
ssl_cert = </etc/ssl/certs/domain2/fullchain.pem
ssl_key = </etc/ssl/certs/domain2/privkey.pem
}
...
Then include this in main dovecot config (you can add those configurations directly in dovecot.conf or 00-ssl.conf also. I just prefer separate this):
# SNI include !include ssl-sni.conf
Postfix:
As for Postfix, configuration is also simple:
Inside /etc/postfix/, create file domain_ssl.map and add ssl definitions in it:
mail.domain1.com /etc/ssl/certs/domain1/privkey.pem /etc/ssl/certs/domain1/fullchain.pem smtp.domain2.net /etc/ssl/certs/domain2/privkey.pem /etc/ssl/certs/domain2/fullchain.pem
Run postmap and restart Postfix:
[root@mail postfix]# postmap -F domain_ssl.map which will create domain_ssl.map.db [root@mail postfix]# systemctl restart postfix
If everything is OK, you should now have SNI supported mail server.
Hello!
I’ve tried this with postfix, but it do not work. I’ve got few IP and every one got own domain name (and ptr record too). I would like it to work with correct certificate when connecting to port 25. It is working fine for me with ports 465 and 587, but i’ve got no luck with port 25.
I’ve tried Your way but it do not work for me somehow. Do You have any hints?
I’ve tried with (inside master.cf):
smtp inet n – y – – smtpd
but also with:
127.0.0.1:smtp inet n – y – – smtpd
-o syslog_name=postfix/smtp-local
-o smtp_helo_name=localhost
-o smtp_bind_address=127.0.0.1
-o myhostname=localhost
xx.xx.xx.xx1:smtp inet n – y – – smtpd
-o syslog_name=postfix/smtp-domain1
-o smtp_helo_name=do.main1.com
-o smtp_bind_address=xx.xx.xx.xx1
-o myhostname=do.main1.com
-o smtpd_tls_cert_file=/etc/cert/do.main1.com.crt
-o smtpd_tls_key_file=/etc/cert/do.main1.com.key
xx.xx.xx.xx2:smtp inet n – y – – smtpd
-o syslog_name=postfix/smtp-domain2
-o smtp_helo_name=do.main2.com
-o smtp_bind_address=xx.xx.xx.xx2
-o myhostname=do.main2.com
-o smtpd_tls_cert_file=/etc/cert/do.main2.com.crt
-o smtpd_tls_key_file=/etc/cert/do.main2.com.key
Maybe You could help?
Hi Lorenzo,
sorry but I didn’t do research for port 25. I guess when try with 25, Postfix uses default “hostname” certificate?