Hello Bruno, Edgar,
Thank you for sharing
You wrote domain1.com and domain2.com but you don't use them there afterpki
domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
listen on <IP/dev> hostname <defaulthostname> port 25 tls
Also, could you repeat what is <defaulthostname>, a table of IP addresses ?
Could you post your complete configuration because I don't understand it right
now
Le Dimanche 14 mai 2017 16h16, Bruno Pagani <[email protected]> a
écrit :
Le 14/05/2017 à 15:45, Edgar Pettijohn a écrit :
On 05/14/17 07:20, Bruno Pagani wrote:
Le 14/05/2017 à 09:59, Mik J a écrit :
Thank you Edgar, You wrote multiple IP adresses. Does it mean that 1 IP
address = 1 certificate ? Can't be do 1 IP address = x certificates ?
No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf:
pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
listen on <IP/dev> hostname <defaulthostname> port 25 tls
The hostname part is only necessary if you want to advertise a specific
hostname when contacted without SNI. The important thing is to not specify a
pki.
Regards,
Bruno
I think I used two because the <hostname> table is a mapping from an ip to a
name. I'll have to give this a try.
It’s a table if you use the hostnameS parameter. But you’re not forced to. It
helps if you’re facing servers without SNI. But I don’t expect any such server
to be compliant with modern mail rules (SPF,DKIM…) anyway, or even to check the
certificate/support non-broken crypto.
Bruno
