Postfix, multi domains and multi certs on one IP

Solution 1:

If you are on Postfix >=3.4, consider the following steps below as adapted from this link:

Step 1: Comment out the top two lines and add the follow lines to /etc/postfix/main.cf:

---
# smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
# smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
smtpd_tls_chain_files =
    /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
    /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem

# provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
---

Step 2: Create the file /etc/postfix/vmail_ssl.map with the following:

---
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
---

Step 3: Run postmap -F hash:/etc/postfix/vmail_ssl.map.

Step 4: Run systemctl restart postfix.

Step 5: Now test your domains' SSLs! For each of your domains, run the following command: openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp

Solution 2:

As far i know there is no working SNI in postfix . Yet. Docs ( http://www.postfix.org/TLS_README.html ) say that "There are no plans to implement SNI in the Postfix SMTP server.", though Victor mentioned in January that he wants to add SNI support to postfix 3.4 . Alternatives :

• multiple ip
• certificate containing all domain names.

Also there is nothing wrong with having the same MX for all domains. MX hostname being your service domain or something. Also helo/ehlo name configured to the same/similar hostname . If its good for GoogleApps and other major email providers, then its good for us too.