On Sun, Jul 13, 2025 at 07:32:46AM -0600, James Lay via Postfix-users wrote:

> My other question:  I run split dns here, so what I would LOVE to do is
> have an in house certificate used for smtps and submission which are
> used internally only on the inside interface, and a world valid ( if
> that's the right way to say it ) certificate listening just on smtp on
> the outside interface.  Even better would be to have smtp listening on
> the outside interface with one certificate, and smtp listening to the
> inside interface using a different cert, but I don't think that's
> possible.
> 
> Thank you for any insights you might have!

You can have as many cerrtificate chains as you want associated with
various listening IP addresses, of also on a single IP address
distinguished by SNI (assuming TLS clients that send SNI, not all do,
they are required to use SNI with DANE, but not necessarily with
opportunistic TLS):

    master.cf:
        127.0.0.1 inet ... smtpd
            -o smtpd_tls_chain_files=$cert_chain0
        192.0.2.1 inet ... smtpd
            -o smtpd_tls_chain_files=$cert_chain1
        192.0.2.2 inet ... smtpd
            -o smtpd_tls_chain_files=$cert_chain2
        ...

    main.cf:
        cert_chain0 = ${config_directory}/chain0.pem
        cert_chain1 = ${config_directory}/chain1.pem
        cert_chain2 = ${config_directory}/chain2.pem
        ...

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to