Le 14/05/2017 à 15:45, Edgar Pettijohn a écrit : > On 05/14/17 07:20, Bruno Pagani wrote: >> >> Le 14/05/2017 à 09:59, Mik J a écrit : >> >>> Thank you Edgar, >>> You wrote multiple IP adresses. Does it mean that 1 IP address = 1 >>> certificate ? >>> Can't be do 1 IP address = x certificates ? >> >> No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf: >> >> pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt" >> pki domain1.com key "/etc/smtpd/tls/domain1.com.key" >> pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt" >> pki domain2.com key "/etc/smtpd/tls/domain2.com.key" >> >> listen on <IP/dev> hostname <defaulthostname> port 25 tls >> >> The hostname part is only necessary if you want to advertise a >> specific hostname when contacted without SNI. The important thing is >> to not specify a pki. >> >> Regards, >> Bruno > I think I used two because the <hostname> table is a mapping from an > ip to a name. I'll have to give this a try.
It’s a table if you use the hostnameS parameter. But you’re not forced to. It helps if you’re facing servers without SNI. But I don’t expect any such server to be compliant with modern mail rules (SPF,DKIM…) anyway, or even to check the certificate/support non-broken crypto. Bruno
signature.asc
Description: OpenPGP digital signature
