i'm modifying a relay config. atm, i've
master.cf
...
[127.0.0.1]:10001 inet n - n - - smtpd
...
-o content_filter=lmdb:/etc/postfix/relay_transports
relay-out unix - - n - - smtp
-o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy
-o smtp_tls_cert_file=/ssl/client.RSA.crt
-o smtp_tls_key_file=/ssl/client.RSA.key
cat /etc/postfix/relay_transports
example1.com relay-out:[mx.example1.com]:25
example2.com relay-out:[mx.example2.com]:10025
...
cat /etc/postfix/relay_tls_policy
[mx.example1.com]:25 secure match=mx.example1.com
[mx.example2.com]:10025 secure match=mx.example2.com
...
this^ has worked just fine.
my config, atm, uses the single RSA crt/key for all transports.
example2.com has just changed its requirements, and uses/accepts only EC certs.
where/how would I specify a per-transport cert/key pair?
i've read through
http://www.postfix.org/TLS_README.html
and haven't ID'd a relevant per-transport cert/key mapping
i considered
http://www.postfix.org/postconf.5.html#tls_server_sni_maps
but that seems server-side only (?),
"map names received from remote SMTP clients via the TLS Server Name
Indication (SNI) extension to the appropriate keys and certificate chains. This
parameter is implemented in the Postfix TLS library, and applies to both
smtpd(8) and the SMTP server mode of tlsproxy(8)."
i also took a look at
http://www.postfix.org/postconf.5.html#smtp_tls_per_site
but, again, haven't figured out where/how to provide the per-transport cert/key
mappings.
what's the correct approach here?
