Use SNI in dovecot and postfix
What to do if you have multiple certificates from LetsEncrypt. And this certificates as files are in different crt/key pairs.
Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure sites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546
In order to make my mail server capable to handle with multiple certificates ( in my case this files are generated by caddy web server, which takes care for renewal also ) for dovecot and postfix following is needed.
For dovecot you have to add into /usr/local/etc/dovecot/dovecot.conf
# mail.ostreff.info
local_name mail.ostreff.info {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.key
}
# mail.classic-bg.net
local_name mail.classic-bg.net {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.key
}
# mail.albena-bg.be
local_name mail.albena-bg.be {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.key
}
# mail.realesr.ostreff.info
local_name mail.realesr.ostreff.info {
ssl_cert = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.crt
ssl_key = </var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.key
}For postfix you must create file named /usr/local/etc/postfix/vmail_ssl.map with following content:
mail.ostreff.info
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.ostreff.info/mail.ostreff.info.key
mail.classic-bg.net
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.classic-bg.net/mail.classic-bg.net.key
mail.albena-bg.be
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.albena-bg.be/mail.albena-bg.be.key
mail.realesr.ostreff.info
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.crt
/var/db/caddy/data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.realesr.ostreff.info/mail.realesr.ostreff.info.key
Then you must explain to postfix regarding this SNI map adding the line which points to /usr/local/etc/postfix/vmail_ssl.map created previously, into /usr/local/etc/postfix/main.cf :
tls_server_sni_maps = hash:/usr/local/etc/postfix/vmail_ssl.mapNext step is postfix and dovecot to be restarted after the change:
postmap -F hash:/usr/local/etc/postfix/vmail_ssl.map
service postfix restart
service dovecot restartVerification of postfix can be made like that:
openssl s_client -connect localhost:25 -servername mail.ostreff.info -starttls smtp
$ openssl s_client -connect localhost:25 -servername mail.classic-bg.net -starttls smtpFor dovecot verification use this:
$ openssl s_client -showcerts -connect mail.classic-bg.net:993 -servername mail.classic-bg.net
CONNECTED(00000017)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = mail.classic-bg.net
verify return:1
---
Certificate chain
0 s:/CN=mail.classic-bg.net
i:/C=US/O=Let's Encrypt/CN=E5
-----BEGIN CERTIFICATE-----
MIIDkzCCAxmgAwIBAgISBfN23kypeOalWAi9Cofb/MUdMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTA2MjkxMjI5MjZaFw0yNTA5MjcxMjI5MjVaMB4xHDAaBgNVBAMTE21h
aWwuY2xhc3NpYy1iZy5uZXQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQkzfde
HmEI8W6op+Gawty/aEfxVFzhqd8o2jx0zGsaARIgGJDiDB1v8xZXjnfR8kK89QkH
8VjJS7qte2FNBHPxo4ICITCCAh0wDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS+psE9
kh1k0sF6rmTTKikswW7+5jAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZwi9LX
DTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNy
Lm9yZy8wHgYDVR0RBBcwFYITbWFpbC5jbGFzc2ljLWJnLm5ldDATBgNVHSAEDDAK
MAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5sZW5jci5v
cmcvMzAuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYA7TxL1ugGwqSiAFfb
yyTiOAHfUS/txIbFcA8g3bc+P+AAAAGXu9+BogAABAMARzBFAiEAp2IUNJ7r3gWs
Wi9WnSg758I4yDHvxeOLcyKMD8UcAvACICq2CPQODyZhucAnFvrP02bw3mOGGnNh
YV4AxIew+x+8AHYADeHyMCvTDcFAYhIJ6lUu/Ed0fLHX6TDvDkIetH5OqjQAAAGX
u9+BqQAABAMARzBFAiEA25hRru0TMlnpMLTO5fMoUg19mo5Y/tACE61rRsFaxJ0C
IBEmCH8g2n3BNtrfi/AGQpd1SceRpuq9iZeBi+ZCG1hTMAoGCCqGSM49BAMDA2gA
MGUCMAaE5vDwzmtK3yxV4EvecZbYcZhX/eRdY2+CjZknmY24svrzq55CAG2gqRpF
nfQBjQIxAKvW/SmOogfCsSj+wdLWdqxJPfBDzl7pPaAC+rl14RKdU+rkGYZBezet
YWSIQMdJRg==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=E5
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.classic-bg.net
issuer=/C=US/O=Let's Encrypt/CN=E5
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2492 bytes and written 317 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: EE4DA96B512055BEFCC011C24B91726241D4A85089F808EB8F8D9BB2F84E51C0
Session-ID-ctx:
Master-Key: E0D593508F471ABCA9202A4856A7C6A1402C0E521DD48943180F20D97C411F310BFB47B39B295224F71101E8B7258F7E
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f0 6d 7f 03 09 b3 85 1c-fe 66 53 af fa 7e a3 32 .m.......fS..~.2
0010 - e0 e6 c2 bd eb ac 25 bd-d7 a5 94 25 d1 fd cb a2 ......%....%....
0020 - e0 95 d9 64 1e b8 6d 90-eb 14 2e 15 ff 03 1a 11 ...d..m.........
0030 - 47 b0 4e 4f 45 5d 05 db-23 83 66 32 49 56 ea 6e G.NOE]..#.f2IV.n
0040 - 57 4d 8e c8 1f 9f d6 89-99 82 4e c5 31 d4 4a 01 WM........N.1.J.
0050 - 42 2e c9 c6 d7 0a cc 9e-16 85 04 ee 75 0b 57 0c B...........u.W.
0060 - 42 86 29 e9 cc 34 b5 4c-0c 2d a5 08 1a 1c 98 18 B.)..4.L.-......
0070 - a5 41 96 89 89 ea e9 4b-b1 b7 2b c0 75 0d aa 8c .A.....K..+.u...
0080 - 48 73 fc ce a5 a2 e5 c2-8f 52 49 ee 7a a7 00 08 Hs.......RI.z...
0090 - 9f 5e f1 bd 98 90 74 50-cf 6b 3a 0c b9 fd 40 fe .^....tP.k:...@.
00a0 - c0 22 f1 85 05 e3 a3 f6-4f 8f 92 39 95 9a 53 80 ."......O..9..S.
Start Time: 1755126431
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] Dovecot ready.- Article is based on following explanations on same topic.