There were some discussions in 2015 and more recently about SNI support.
For IMAP/POP, dovecot (which allows SNI support) has a configuration like this
in our setup:
local_name imap.example.org { ssl_cert = </etc/ssl/certs/imap.example.org.crt
ssl_key = </etc/ssl/private/imap.example.org.key}local_name imap.example2.org {
ssl_cert = </etc/ssl/certs/imap.example2.org.crt ssl_key =
</etc/ssl/private/imap.example2.org.key}
Moving from a perl-based SMTP server that allowed me to load multiple
certificates, my clients all use mail.yourdomain.com:587 as their outgoing mail
server. For the most part, a STARTTLS command is issued and the connection is
upgraded to SSL. This has worked really well, with the end user needing to
remember only mail.yourdomain.com for incoming and outgoing mail, and still
getting SSL encryption. Thus far, we've found every mail client has supported
this method without any errors.
I found this discussion circa 2015 (
http://postfix.1071664.n5.nabble.com/postfix-and-multiple-TLS-certificates-td80968.html
) which references the request, but it doesn't seem to have come into fruition.
This is not for outgoing SSL (which makes senses to come only from the server),
or for incoming mail (which would go to the MX record in question) but for
incoming mail submission, via SSL. The clients all support SNI, any recent
version of OpenSSL supports SNI.
Does postfix? If so how to configure? If not, how to feature request this?
-M
