Postfix, when configured with multiple domains, should present a different certificate upon STARTTLS depending on the domain (via SNI).

In /etc/postfix/main.cf, there is tls_server_sni_maps which points to a hash file, e.g. hash:/etc/postfix/vmail_ssl.map with the following content (assuming Let's Encrypt certificates):

mail.domain1.com /etc/letsencrypt/live/mail.domain1.com/privkey.pem /etc/letsencrypt/live/mail.domain1.com/fullchain.pem
mail.domain2.net /etc/letsencrypt/live/mail.domain2.net/privkey.pem /etc/letsencrypt/live/mail.domain2.net/fullchain.pem

The postmap -F hash:/etc/postfix/vmail_ssl.map command has to be run on update of the certificates.

Run ssltestssl --starttls smtp mail.domain2.net:25 to checkk the setup.

posted at: 21:36 | path: /configuration | permanent link