In the need of configuring my email server with 2 different domains (not subdomains), therefore with 2 different ssl certificates, I found out it is possible to use let's engrypt certificates (which I already have and use for other services). I assume that Let's encrypt certificates are installed in the default folder /etc/letsencrypt/live/domain_name/ I use the same domain's certificate for both Postfix and Dovecot. In other words, for example I would have:- example.net.pem for Postfix and Dovecot of example.net domain,- example.com.pem for Postfix and Dovecot of example.com domain,For Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf by adding a default server and anotherone (or 2, 3...):# Default mail server: "example.net"ssl_cert = ssl_key = # 2nd mail server: "example.com"local_name mail.example.it { ssl_cert = ssl_key = }For Postfix > 3.4.0, you need to modify /etc/postfix/main.cf . Comment out if you have already a single let's encrypt ssl certificate the 2 lines which look like the following:#smtp_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem#smtp_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pemthen add the following:# provide the primary certificate for the server, to be used for outgoing connectionssmtpd_tls_chain_files = /etc/letsencrypt/live/example.net/privkey.pem, /etc/letsencrypt/live/example.net/fullchain.pem# provide the map to be used when SNI support is enabledtls_server_sni_maps = hash:/etc/postfix/vmail_ssl.mapSave the file and then create the new file /etc/postfix/vmail_ssl.map, where you have to write the following:# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating# One host per line, for 2nd, 3rd ecc mail servers. Don't write here the default mail server!example.com /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem Save and exit, then run$ postmap -F hash:/etc/postfix/vmail_ssl.mapYou need to rune the above command every time that the certificate changes, that is, when you renew it. At the end restart postfix, dovecot and saslauthd servicesTest the new configuration with:$ openssl s_client -connect localhost:25 -servername example.com -starttls smtpand with:$ openssl s_client -connect localhost:25 -servername example.net -starttls smtp Sources:https://serverfault.com/questions/920436/set-up-certs-for-multiple-domains-in-postfix-and-dovecothttps://serverfault.com/questions/928926/postfix-multi-domains-and-multi-certs-on-one-iphttp://www.postfix.org/postconf.5.html#tls_server_sni_maps
Multiple ssl certificates for Postfix &Dovecot with Let's Encrypt
In the need of configuring my email server with 2 different domains (not subdomains), therefore with 2 different ssl certificates, I found out it is possible to use let's engrypt certificates (which I already have and use for other services). I assume that Let's encrypt certificates are installed in the default folder /etc/letsencrypt/live/domain_name/ I use the same domain's certificate for both Postfix and Dovecot. In other words, for example I would have:- example.net.pem for Postfix and Dovecot of example.net domain,- example.com.pem for Postfix and Dovecot of example.com domain,For Dovecot, edit /etc/dovecot/conf.d/10-ssl.conf by adding a default server and anotherone (or 2, 3...):# Default mail server: "example.net"ssl_cert = ssl_key = # 2nd mail server: "example.com"local_name mail.example.it { ssl_cert = ssl_key = }For Postfix > 3.4.0, you need to modify /etc/postfix/main.cf . Comment out if you have already a single let's encrypt ssl certificate the 2 lines which look like the following:#smtp_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem#smtp_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pemthen add the following:# provide the primary certificate for the server, to be used for outgoing connectionssmtpd_tls_chain_files = /etc/letsencrypt/live/example.net/privkey.pem, /etc/letsencrypt/live/example.net/fullchain.pem# provide the map to be used when SNI support is enabledtls_server_sni_maps = hash:/etc/postfix/vmail_ssl.mapSave the file and then create the new file /etc/postfix/vmail_ssl.map, where you have to write the following:# Compile with postmap -F hash:/etc/postfix/vmail_ssl.map when updating# One host per line, for 2nd, 3rd ecc mail servers. Don't write here the default mail server!example.com /etc/letsencrypt/live/example.com/privkey.pem /etc/letsencrypt/live/example.com/fullchain.pem Save and exit, then run$ postmap -F hash:/etc/postfix/vmail_ssl.mapYou need to rune the above command every time that the certificate changes, that is, when you renew it. At the end restart postfix, dovecot and saslauthd servicesTest the new configuration with:$ openssl s_client -connect localhost:25 -servername example.com -starttls smtpand with:$ openssl s_client -connect localhost:25 -servername example.net -starttls smtp Sources:https://serverfault.com/questions/920436/set-up-certs-for-multiple-domains-in-postfix-and-dovecothttps://serverfault.com/questions/928926/postfix-multi-domains-and-multi-certs-on-one-iphttp://www.postfix.org/postconf.5.html#tls_server_sni_maps