On Wed, Jul 26, 2017 at 10:08 Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> > On Jul 26, 2017, at 10:28 AM, Tom Browder <tom.brow...@gmail.com> wrote: > > Now my question: is there any future benefit to having tls certs for a > host name of "smtp.domain.tld" for each "domain.tld" when all domains will > have the same mail server? > > No, for inbound mail a single MX hostname shared across all hosted > domains and an associated shared name in the certificate is best. If you're also doing port 587 submission, and/or imap then it sometimes > makes more sense to have per-domain certificates. I've still not had > the time to implement support for server-side SNI in Postfix, so multiple > certificates for submission are not well supported in Postfix. Okay, Viktor, thanks, I think I understand a bit. Given the present state of Postfix, does this sound reasonable for the single server: 1. each domain with a webserver will have its own server cert (all webservers use the same ip address) 2. the mail server has its own server cert and a unique ip address 3. in case I want to use remote smtp access from my local host, I will have another address and server cert for it, also on its own ip address -Tom
