The documentation on this is very convoluted, but through trial and error and
reviewing code, I did figure it out.
----- main.cf -----# provide the primary certificate for the server, to be used
for outgoing connectionssmtpd_tls_chain_files =
/etc/letsencrypt/live/servername.serverdom.com/privkey.pem,
/etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
# provide the map to be used when SNI support is enabledtls_server_sni_maps =
hash:/etc/postfix/vmail_ssl.map-----
----- /etc/postfix/vmail_ssl.map -----# Compile with postmap -F
hash:/etc/postfix/vmail_ssl.map when updating# One host per
lineservername.serverdom.com
/etc/letsencrypt/live/servername.serverdom.com/privkey.pem
/etc/letsencrypt/live/servername.serverdom.com/fullchain.pemservername.otherdom.com
/etc/letsencrypt/live/servername.otherdom.com/privkey.pem
/etc/letsencrypt/live/servername.otherdom.com/fullchain.pem-----
Then run $ postmap -F hash:/etc/postfix/vmail_ssl.map
Restart postfix as normal.
Run $openssl s_client -connect localhost:25 -servername servername.otherdom.com
-starttls smtp $openssl s_client -connect localhost:25 -servername
servername.serverdom.com -starttls smtpto test- you'll find the hostname under
the certificate details. It will match the default server name of the host if
there is not a match. Be sure the server name of the host is in the map file
for that reason.
Hope this helps.-M
On Sunday, March 31, 2019, 6:54:07 AM EDT, Andrei Kovacs
<kand...@gmail.com> wrote:
Hi,
I've noticed the release of the new SNI feature in Postfix 3.4, but I cannot
get a successful setup. My last attempt was to use tls_server_sni_maps, but I'm
not sure about the correct format (I've tried encoding the certificate as
base64 according to the documentation).
For reference, what I'm trying is to have a main certificate for the mail
server and another certificate (letsencrypt) for a specific domain.
Thank you,Andrei
