Use SNI in dovecot and postfix
What to do if you have multiple certificates from LetsEncrypt. And this certificates as files are in different crt/key pairs.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure sites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546
In order to make my mail server capable to handle with multiple certificates ( in my case this files are generated by caddy web server, which takes care for renewal also ) for dovecot and postfix following is needed.
For dovecot you have to add into /usr/local/etc/dovecot/dovecot.conf
# mail.ostreff.info
local_name mail.ostreff.info {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.key
}
# mail.classic-bg.net
local_name mail.classic-bg.net {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.key
}
# mail.albena-bg.be
local_name mail.albena-bg.be {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.key
}
# mail.realesr.ostreff.info
local_name mail.realesr.ostreff.info {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.key
}For postfix you must create file named /usr/local/etc/postfix/vmail_ssl.map with following content:
mail.ostreff.info
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.key
mail.classic-bg.net
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.key
mail.albena-bg.be
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.key
mail.realesr.ostreff.info
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.key
Then you must explain to postfix regarding this SNI map adding the line which points to /usr/local/etc/postfix/vmail_ssl.map created previously, into /usr/local/etc/postfix/main.cf :
tls_server_sni_maps = hash:/usr/local/etc/postfix/vmail_ssl.mapNext step is postfix and dovecot to be restarted after the change:
postmap -F hash:/usr/local/etc/postfix/vmail_ssl.map
service postfix restart
service dovecot restartVerification of postfix can be made like that:
openssl s_client -connect localhost:25 -servername mail.ostreff.info -starttls smtp
$ openssl s_client -connect localhost:25 -servername mail.classic-bg.net -starttls smtp- Article is based on following explanations on same topic.