Set up certs for multiple domains in Postfix and Dovecot
Solution 1
This is done by looking at the unencrypted domain name in the Server Name Indication (SNI) header in the TLS handshake to select the right certificate before any encrypted data is exchanged. At the moment (I'll edit this answer if this changes), Postfix does not support SNI.
Update : SNI support introdcued in postfix 3.4.0 - http://www.postfix.org/announcements/postfix-3.4.0.html
Dovecot, on the other hand, does. See this example configuration:
# Default
ssl_cert = </path/to/default/cert
ssl_key = </path/to/default/private/key
# mail.example.it
local_name mail.example.it {
ssl_cert = </etc/letsencrypt/live/mail.example.it
ssl_key = </path/to/mail.example.it/private/key
}
# mail.example.com
local_name mail.example.com {
ssl_cert = </etc/letsencrypt/live/mail.example.com
ssl_key = </path/to/mail.example.com/private/key
}
You can leave out each domain's ssl_key
if it's the same as the default.
Solution 2
To my knowledge, this is not possible. You have two options:
- Use one domain as the MX for all your other domains that the server should handle. So, if you have a cert configured for
example.com
and you want also handle mails forexample.org
, set an MX entry pointing to yourexample.com
server into theexample.org
zone. - Use certs with multiple SANs for every domain you need. This means you have only one cert file that covers all your domains.
Solution 3
Postfix 3.4 and later now allows SNI maps to deal with multiple certificates for different domains/subdomains:
http://www.postfix.org/postconf.5.html#tls_server_sni_maps
Hints about configuring it properly with Let's Encrypt:
In summary, here is what user @MK of the Postfix mailing list says (in case the above link goes down for some reason):
----- main.cf -----
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
/etc/letsencrypt/live/servername.serverdom.com/privkey.pem,
/etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
-----
----- /etc/postfix/vmail_ssl.map -----
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
servername.serverdom.com
/etc/letsencrypt/live/servername.serverdom.com/privkey.pem
/etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
servername.otherdom.com
/etc/letsencrypt/live/servername.otherdom.com/privkey.pem
/etc/letsencrypt/live/servername.otherdom.com/fullchain.pem
-----
Then run
$ postmap -F hash:/etc/postfix/vmail_ssl.map
Restart postfix
as normal.
Run
$ openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp
$ openssl s_client -connect localhost:25 -servername servername.serverdom.com -starttls smtp
To test: you'll find the hostname under the certificate details. It will match the default server name of the host if there is not a match. Be sure the server name of the host is in the map file for that reason.
Note: I haven't tested this out myself, I was just looking for some hints on how to do it, and by chance came across this SF thread...
Related videos on Youtube
p0lo
Updated on September 18, 2022Comments
-
p0lo over 1 year
I don't know how to set up main.conf postfix config file and 10-ssl.conf dovecot config files in order to make my mail server capable to handle with multiple certificates. Let me explain... I have two domains at the same server, say
mail.example.it
mail.example.com
and two different certificates for both in different folders
etc/letsencrypt/live/mail.example.it
etc/letsencrypt/live/mail.example.com
The question is how should I set the tls parameters on main.conf of postfix configuration? It seems to support only one entry on
smtpd_tls_cert_file
smtpd_tls_key_file
The same issue on 10-ssl.conf of dovecot configuration: seems to support only one entry for
ssl_cert
ssl_key
Many thanks for help
-
Esa Jokinen almost 6 yearsNew to me: Let's Encrypt now supports SAN mechanism! Otherwise, in case these two domains were from separate customers that wouldn't want their domains to be used for others, I'd have suggested adding a third domain from the service provider as the certificate domain for both.
-
Esa Jokinen almost 6 yearsWhat I couldn't find: does Let's Encrypt have a limit for max SAN host names? Using fixed service provider domain would be a better choice with many customer domains if there was such a limit, or if the changes to this domain name list were frequent.
-
FooBee almost 6 years@EsaJokinen: It's 100 names.
f you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate.
letsencrypt.org/docs/rate-limits I am not sure, but I believe this is the general limit on SANs in TLS certs. -
Esa Jokinen almost 6 yearsSo, not really a problem, because updating the domain list would get to the nerves long before the limit. :)
-
Gwyneth Llewelyn over 3 yearsThis, of course, requires multiple IP addresses.
-
Gwyneth Llewelyn over 3 yearsFor Dovecot, the example configuration comes from wiki.dovecot.org/SSL/…
-
mik3fly-4steri5k over 2 yearsshould be the accepter answer (if your version match)