Author Topic: postfix SNI  (Read 2612 times)

0 Members and 1 Guest are viewing this topic.

postfix SNI
« on: August 23, 2021, 02:38:26 PM »
After giving my CWP Server SNI for dovecot (see here I worked on doing the same for postfix. Same OS/Environment: proxmox lxc container with centos 8

First we need to set up Postfix with a basic cert which kicks in when no SNI is triggered.
I used the self signed cert which was already there after setting up CWP:


and combined it in:
cat /etc/pki/tls/certs/ /etc/pki/tls/certs/ca-bundle.crt > /etc/pki/tls/certs/

That last pem and the key file you add at the end of /etc/postfix/
smtpd_tls_chain_files = /etc/pki/tls/private/ /etc/pki/tls/certs/

additionally we also add in the file for SNI:
tls_server_sni_maps = hash:/etc/postfix/sni

In that file (/etc/postfix/sni) you add your domains and the keys and certs like this
e.g. /etc/pki/tls/private/ /etc/pki/tls/certs/ is created via:
cd /etc/pki/tls/certs/
cat >

finally you have to create the map:
postmap -F hash:/etc/postfix/sni

and restart postfix:
service postfix restart

like with dovecot it is not automatically renewed - I am working on some scripts to do that in the future

Re: postfix SNI
« Reply #1 on: August 23, 2021, 08:52:46 PM »
all certs should be set from cwp ssl manager as it make config (including postfix/dovecot) and does auto renew
VPS & Dedicated server provider with included FREE Managed support for CWP.

*** Don't allow that your server or website is down, choose hosting provider with included expert managed support for your CWP.