How to Configure Postfix and Dovecot with Multiple SSL Certificates for Different Domains


2 views

When running a mail server hosting multiple domains, you'll often need separate SSL certificates for each domain. The standard Postfix and Dovecot configurations expect single certificate paths, which creates challenges when you need to:

  • Serve mail.example.it with its own certificate
  • Serve mail.example.com with a different certificate
  • Maintain clean configuration without service restarts

For Postfix, we'll use SNI (Server Name Indication) to serve different certificates. Edit your /etc/postfix/main.cf:

# Base TLS configuration
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may

# SNI map configuration
tls_server_sni_maps = hash:/etc/postfix/sni_map

Create /etc/postfix/sni_map:

mail.example.it /etc/letsencrypt/live/mail.example.it/fullchain.pem /etc/letsencrypt/live/mail.example.it/privkey.pem
mail.example.com /etc/letsencrypt/live/mail.example.com/fullchain.pem /etc/letsencrypt/live/mail.example.com/privkey.pem

Compile the map and restart Postfix:

postmap /etc/postfix/sni_map
systemctl restart postfix

Dovecot also supports SNI. Edit /etc/dovecot/conf.d/10-ssl.conf:

# Base SSL configuration
ssl = required
ssl_prefer_server_ciphers = yes

# SNI configuration
local_name mail.example.it {
  ssl_cert = 

Verify both services are using the correct certificates:


# Test Postfix
openssl s_client -connect mail.example.it:25 -starttls smtp -servername mail.example.it | openssl x509 -noout -subject

# Test Dovecot
openssl s_client -connect mail.example.com:993 -servername mail.example.com | openssl x509 -noout -subject



For Let's Encrypt certificates, add these hooks to your renewal process:


# In /etc/letsencrypt/renewal-hooks/post/
#!/bin/bash
postmap /etc/postfix/sni_map
systemctl reload postfix dovecot





When running a mail server hosting multiple domains, each with its own SSL/TLS certificate, you'll face configuration limitations in both Postfix and Dovecot. The standard configuration parameters only accept single certificate paths, but we can implement a more flexible solution.


For Postfix, we'll use SNI (Server Name Indication) support to serve different certificates based on the requested hostname. First ensure your Postfix version supports SNI (2.3+ recommended).


# Enable TLS
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.it/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.it/privkey.pem
smtpd_tls_chain_files =
    /etc/letsencrypt/live/mail.example.it/privkey.pem=/etc/letsencrypt/live/mail.example.it/fullchain.pem
    /etc/letsencrypt/live/mail.example.com/privkey.pem=/etc/letsencrypt/live/mail.example.com/fullchain.pem

# SNI maps
tls_server_sni_maps = hash:/etc/postfix/sni_maps



Create /etc/postfix/sni_maps with content:


mail.example.it /etc/letsencrypt/live/mail.example.it/privkey.pem /etc/letsencrypt/live/mail.example.it/fullchain.pem
mail.example.com /etc/letsencrypt/live/mail.example.com/privkey.pem /etc/letsencrypt/live/mail.example.com/fullchain.pem



Then compile the map:


postmap /etc/postfix/sni_maps


Dovecot also supports SNI since version 2.2.25. Here's how to configure it:


ssl = required
ssl_cert = </etc/letsencrypt/live/mail.example.it/fullchain.pem
ssl_key = </etc/letsencrypt/live/mail.example.it/privkey.pem

local_name mail.example.it {
  ssl_cert = </etc/letsencrypt/live/mail.example.it/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.example.it/privkey.pem
}

local_name mail.example.com {
  ssl_cert = </etc/letsencrypt/live/mail.example.com/fullchain.pem
  ssl_key = </etc/letsencrypt/live/mail.example.com/privkey.pem
}



For Let's Encrypt renewal, add these hooks to your renewal configuration:


renew_hook = systemctl reload postfix dovecot



This ensures both services reload their certificate cache after renewal.


To verify your configuration is working:


# Test Postfix
openssl s_client -connect mail.example.it:25 -starttls smtp -servername mail.example.it | openssl x509 -noout -subject
openssl s_client -connect mail.example.com:25 -starttls smtp -servername mail.example.com | openssl x509 -noout -subject

# Test Dovecot
openssl s_client -connect mail.example.it:993 -servername mail.example.it | openssl x509 -noout -subject
openssl s_client -connect mail.example.com:993 -servername mail.example.com | openssl x509 -noout -subject