Postfix - Multiple domain SSL certificates
Published: 17 Nov 2022Updating Postfix configuration
We will first need to update the postfix configuration with the new settings available since Postfix 3.4. These settings tells Postfix to look out for the sni map file for the correct certificate to be served.
- smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
- smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
# provide the primary certificate for the server, to be used for outgoing connections (note the indentation)
+ smtpd_tls_chain_files =
+ /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem,
+ /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
# provide the map to be used when SNI support is enabled
+ tls_server_sni_maps = hash:/etc/postfix/vmail_ssl.map
Create the SSL mapping file
We will now need to tell postfix, the correct SSL certificates to serve for each domain. Note each of lines should comprise of <domain> <path to privatekey> <path to fullchain cert>
# One host per line - /etc/postfix/vmail_ssl.map
+ mail.yourprimarymailserverdomain.com /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yourprimarymailserverdomain.com/fullchain.pem
+ mail.yoursecondarymailserverdomain.com /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/privkey.pem /etc/letsencrypt/live/mail.yoursecondarymailserverdomain.com/fullchain.pem
# add more domains with keys and certs as needed
Update and restart Postfix
You need to run the following commands to update the sni ssl file, as well as to restart postfix.
This step is important as if not performed, postfix will not be able to know where to read the certificates.
postmap -F hash:/etc/postfix/vmail_ssl.map
systemctl restart postfix
Testing your new configurations
To check if the certificates are being served without errors, you can run the following openssl command. If it connects successfully then your ceritifcates are working.
openssl s_client -connect localhost:25 -servername mail.mydomainname.com -starttls smtp