Set up certs for multiple domains in Postfix and Dovecot

Question

I don't know how to set up main.conf postfix config file and 10-ssl.conf dovecot config files in order to make my mail server capable to handle with multiple certificates. Let me explain... I have two domains at the same server, say

• mail.example.it
• mail.example.com

and two different certificates for both in different folders

• etc/letsencrypt/live/mail.example.it
• etc/letsencrypt/live/mail.example.com

The question is how should I set the tls parameters on main.conf of postfix configuration? It seems to support only one entry on

• smtpd_tls_cert_file
• smtpd_tls_key_file

The same issue on 10-ssl.conf of dovecot configuration: seems to support only one entry for

• ssl_cert
• ssl_key

Many thanks for help

Answer 1

This is done by looking at the unencrypted domain name in the Server Name Indication (SNI) header in the TLS handshake to select the right certificate before any encrypted data is exchanged. At the moment (I'll edit this answer if this changes)

Update : SNI support introduced in postfix 3.4.0 - http://www.postfix.org/announcements/postfix-3.4.0.html

Dovecot, on the other hand, does. See this example configuration:

# Default
ssl_cert = </path/to/default/cert
ssl_key = </path/to/default/private/key
mail.example.it
local_name mail.example.it {
    ssl_cert = </etc/letsencrypt/live/mail.example.it
    ssl_key = </path/to/mail.example.it/private/key
}
mail.example.com
local_name mail.example.com {
    ssl_cert = </etc/letsencrypt/live/mail.example.com
    ssl_key = </path/to/mail.example.com/private/key
}

You can leave out each domain's ssl_key if it's the same as the default.

Answer 2

To my knowledge, this is not possible. You have two options:

• Use one domain as the MX for all your other domains that the server should handle. So, if you have a cert configured for example.com and you want also handle mails for example.org, set an MX entry pointing to your example.com server into the example.org zone.
• Use certs with multiple SANs for every domain you need. This means you have only one cert file that covers all your domains.

Answer 3

Postfix 3.4 and later now allows SNI maps to deal with multiple certificates for different domains/subdomains:

http://www.postfix.org/postconf.5.html#tls_server_sni_maps

Hints about configuring it properly with Let's Encrypt:

http://postfix.1071664.n5.nabble.com/How-to-use-the-new-server-TLS-SNI-feature-3-4-x-td100786.html#a100819

In summary, here is what user @MK of the Postfix mailing list says (in case the above link goes down for some reason):

----- main.cf -----
# provide the primary certificate for the server, to be used for outgoing connections
smtpd_tls_chain_files =
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem,
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
provide the map to be used when SNI support is enabled
tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map

----- /etc/postfix/vmail_ssl.map -----
# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating
# One host per line
servername.serverdom.com 
 /etc/letsencrypt/live/servername.serverdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.serverdom.com/fullchain.pem
servername.otherdom.com 
 /etc/letsencrypt/live/servername.otherdom.com/privkey.pem 
 /etc/letsencrypt/live/servername.otherdom.com/fullchain.pem
-----

Then run

$ postmap -F hash:/etc/postfix/vmail_ssl.map

Restart postfix as normal.

Run

$ openssl s_client -connect localhost:25 -servername servername.otherdom.com -starttls smtp

$ openssl s_client -connect localhost:25 -servername servername.serverdom.com -starttls smtp

To test: you'll find the hostname under the certificate details. It will match the default server name of the host if there is not a match. Be sure the server name of the host is in the map file for that reason.

Note: I haven't tested this out myself, I was just looking for some hints on how to do it, and by chance came across this SF thread...

Answer 4

While @Billy gave the solution for Dovecot — which works for me, these two posts helped me a lot with Postfix: Postfix and multiple SSL certificates, and Using multiple “myhostname” in postfix.