postfix SNI

After giving my CWP Server SNI for dovecot (see here https://forum.centos-webpanel.com/index.php?topic=11155.0) I worked on doing the same for postfix. Same OS/Environment: proxmox lxc container with centos 8

First we need to set up Postfix with a basic cert which kicks in when no SNI is triggered.
I used the self signed cert which was already there after setting up CWP:

/etc/pki/tls/certs/mailer.cwpserver.eu.crt
 /etc/pki/tls/certs/ca-bundle.crt

and combined it in:
cat /etc/pki/tls/certs/mailer.cwpserver.eu.crt /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/mailer.cwpserver.eu.full_chain.pem

That last pem and the key file you add at the end of /etc/postfix/main.cf:
...
smtpd_tls_chain_files = /etc/pki/tls/private/mailer.cwpserver.eu.key /etc/pki/tls/certs/mailer.cwpserver.eu.full_chain.pem

additionally we also add in main.cf the file for SNI:
tls_server_sni_maps = hash:/etc/postfix/sni

In that file (/etc/postfix/sni) you add your domains and the keys and certs like this
<domain><key><certs>
e.g.
domain2.eu /etc/pki/tls/private/domain2.eu.key /etc/pki/tls/certs/domain2.eu.fullchain

domain2.eu.fullchain is created via:
cd /etc/pki/tls/certs/
cat domain2.eu.cert domain2.eu.bundle > domain2.eu.fullchain

finally you have to create the map:
postmap -F hash:/etc/postfix/sni

and restart postfix:
service postfix restart

like with dovecot it is not automatically renewed - I am working on some scripts to do that in the future

all certs should be set from cwp ssl manager as it make config (including postfix/dovecot) and does auto renew