Hello, I'm having issues getting SNI to work, or maybe I'm misunderstanding its purpose. I have three domains, all pointing to the same server, and would like opensmtpd to serve the right certificate depending on which one was used for the connection. The manpage mentions using "*" as a pki name for SNI, so my first attempt was something like:
pki "*" cert "/etc/certs/domain1/fullchain.pem" pki "*" key "/etc/certs/domain1/privkey.pem" pki "*" cert "/etc/certs/domain2/fullchain.pem" pki "*" key "/etc/certs/domain2/privkey.pem" ... listen on 0.0.0.0 tls pki "*" However that lead to the last pki cert/key defined always being used. Looking at the archive of this mailing list it seems what I should be doing is: pki domain1 cert "/etc/certs/domain1/fullchain.pem" pki domain1 key "/etc/certs/domain1/privkey.pem" pki domain2 cert "/etc/certs/domain2/fullchain.pem" pki domain2 key "/etc/certs/domain2/privkey.pem" ... listen on 0.0.0.0 tls leaving out the pki option of the listen directive, but that didn't work, the debug output of smtpd saying that it is 'looking up pki "okanieba"' (my hostname) followed by a disconnection "reason=ca- failure". Wanting my server to get back to a "working" state where it simply serves the wrong certificate but proceeds happily if the client doesn't mind, i changed the listen directive to 'listen on 0.0.0.0 tls pki domain1', and to my surprise that also made SNI work? The debug output always says it looks up domain1's pki, but when supplying domain2 as server name on connection it serves domain2's certificate. Is this expected behavior? Also, what is the purpose of "*" then? Regards, papush