Set up certs for multiple domains in Postfix and Dovecot

postfix ssl-certificate email-server dovecot

7,474

Solution 1

This is done by looking at the unencrypted domain name in the Server Name Indication (SNI) header in the TLS handshake to select the right certificate before any encrypted data is exchanged. At the moment (I'll edit this answer if this changes), Postfix does not support SNI.

Update : SNI support introdcued in postfix 3.4.0 - http://www.postfix.org/announcements/postfix-3.4.0.html

Dovecot, on the other hand, does. See this example configuration:

# Default
ssl_cert = </path/to/default/cert
ssl_key = </path/to/default/private/key

# mail.example.it
local_name mail.example.it {
    ssl_cert = </etc/letsencrypt/live/mail.example.it
    ssl_key = </path/to/mail.example.it/private/key
}

# mail.example.com
local_name mail.example.com {
    ssl_cert = </etc/letsencrypt/live/mail.example.com
    ssl_key = </path/to/mail.example.com/private/key
}

You can leave out each domain's ssl_key if it's the same as the default.

Solution 2

To my knowledge, this is not possible. You have two options:

Use one domain as the MX for all your other domains that the server should handle. So, if you have a cert configured for example.com and you want also handle mails for example.org, set an MX entry pointing to your example.com server into the example.org zone.
Use certs with multiple SANs for every domain you need. This means you have only one cert file that covers all your domains.

Solution 3

Postfix 3.4 and later now allows SNI maps to deal with multiple certificates for different domains/subdomains:

http://www.postfix.org/postconf.5.html#tls_server_sni_maps

Hints about configuring it properly with Let's Encrypt:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819

In summary, here is what user @MK of the Postfix mailing list says (in case the above link goes down for some reason):

----- main.cf -----
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem,
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
-----

----- /etc/postfix/vmail_ssl.map -----
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
servername.serverdom.com 
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
servername.otherdom.com 
 /etc/letsencrypt/live/servername.otherdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.otherdom.com/fullchain.pem
-----

Then run

$ postmap -F hash:/etc/postfix/vmail_ssl.map

Restart postfix as normal.

Run

$ openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp

$ openssl s_client -connect localhost:25 -servername servername.serverdom.com -starttls smtp

To test: you'll find the hostname under the certificate details. It will match the default server name of the host if there is not a match. Be sure the server name of the host is in the map file for that reason.

Note: I haven't tested this out myself, I was just looking for some hints on how to do it, and by chance came across this SF thread...

7,474

p0lo

Updated on September 18, 2022

Comments

p0lo over 1 year
I don't know how to set up main.conf postfix config file and 10-ssl.conf dovecot config files in order to make my mail server capable to handle with multiple certificates. Let me explain... I have two domains at the same server, say
- mail.example.it
- mail.example.com
and two different certificates for both in different folders
- etc/letsencrypt/live/mail.example.it
- etc/letsencrypt/live/mail.example.com
The question is how should I set the tls parameters on main.conf of postfix configuration? It seems to support only one entry on
- smtpd_tls_cert_file
- smtpd_tls_key_file
The same issue on 10-ssl.conf of dovecot configuration: seems to support only one entry for
- ssl_cert
- ssl_key
Many thanks for help
Esa Jokinen almost 6 years

New to me: Let's Encrypt now supports SAN mechanism! Otherwise, in case these two domains were from separate customers that wouldn't want their domains to be used for others, I'd have suggested adding a third domain from the service provider as the certificate domain for both.
Esa Jokinen almost 6 years

What I couldn't find: does Let's Encrypt have a limit for max SAN host names? Using fixed service provider domain would be a better choice with many customer domains if there was such a limit, or if the changes to this domain name list were frequent.
FooBee almost 6 years

@EsaJokinen: It's 100 names. f you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate. letsencrypt.org/docs/rate-limits I am not sure, but I believe this is the general limit on SANs in TLS certs.
Esa Jokinen almost 6 years

So, not really a problem, because updating the domain list would get to the nerves long before the limit. :)
Gwyneth Llewelyn over 3 years

This, of course, requires multiple IP addresses.
Gwyneth Llewelyn over 3 years

For Dovecot, the example configuration comes from wiki.dovecot.org/SSL/…
mik3fly-4steri5k over 2 years

should be the accepter answer (if your version match)