Postfix, multi domains and multi certs on one IP

Solution 1:

If you are on Postfix >=3.4, consider the following steps below as adapted from this link:

Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/

# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
smtpd_tls_chain_files =

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/

Step 2: Create the file /etc/postfix/ with the following:

# Compile with postmap -F hash:/etc/postfix/ when updating
# One host per line /etc/letsencrypt/live/ /etc/letsencrypt/live/ /etc/letsencrypt/live/ /etc/letsencrypt/live/
# add more domains with keys and certs as needed

Step 3: Run postmap -F hash:/etc/postfix/

Step 4: Run systemctl restart postfix.

Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername -starttls smtp

Solution 2:

As far i know there is no working SNI in postfix . Yet. Docs ( ) say that "There are no plans to implement SNI in the Postfix SMTP server.", though Victor mentioned in January that he wants to add SNI support to postfix 3.4 . Alternatives :

  • multiple ip
  • certificate containing all domain names.

Also there is nothing wrong with having the same MX for all domains. MX hostname being your service domain or something. Also helo/ehlo name configured to the same/similar hostname . If its good for GoogleApps and other major email providers, then its good for us too.