On Sun, Jul 13, 2025 at 07:32:46AM -0600, James Lay via Postfix-users wrote:
> My other question: I run split dns here, so what I would LOVE to do is > have an in house certificate used for smtps and submission which are > used internally only on the inside interface, and a world valid ( if > that's the right way to say it ) certificate listening just on smtp on > the outside interface. Even better would be to have smtp listening on > the outside interface with one certificate, and smtp listening to the > inside interface using a different cert, but I don't think that's > possible. > > Thank you for any insights you might have! You can have as many cerrtificate chains as you want associated with various listening IP addresses, of also on a single IP address distinguished by SNI (assuming TLS clients that send SNI, not all do, they are required to use SNI with DANE, but not necessarily with opportunistic TLS): master.cf: 127.0.0.1 inet ... smtpd -o smtpd_tls_chain_files=$cert_chain0 192.0.2.1 inet ... smtpd -o smtpd_tls_chain_files=$cert_chain1 192.0.2.2 inet ... smtpd -o smtpd_tls_chain_files=$cert_chain2 ... main.cf: cert_chain0 = ${config_directory}/chain0.pem cert_chain1 = ${config_directory}/chain1.pem cert_chain2 = ${config_directory}/chain2.pem ... -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org