> > I have two IP addresses on my server and would like to serve a different
> > SSL
> (TLS) certificate for each one. I think all the other configuration will not
> need to differ between the two, so I think running multiple instances of
> postfix
> would be overkill (?).
> >
> > I want to confirm that it would be possible/viable/advisable to simply
> > create
> two smtpd processes in master.cf:
> >
> >
> > 1.2.3.4:smtp inet n - n - - smtpd
> > -o myhostname=mail.domainA.com
> > -o mydomain=domainA.com
> > -o smtpd_tls_cert_file=/etc/postfix/domainA.crt
> > -o smtpd_tls_key_file=/etc/postfix/domainA.key
> >
> > 4.3.2.1:smtp inet n - n - - smtpd
> > -o myhostname=mail.domainB.com
> > -o mydomain=domainB.com
> > -o smtpd_tls_cert_file=/etc/postfix/domainB.crt
> > -o smtpd_tls_key_file=/etc/postfix/domainB.key
>
> The rest of Postfix needs to know where it should deliver mail for
> mail.domainB.com, domainB.com, mail.domainA.com, and domainA.com.
Oh, perhaps I didn't make it clear that I have a whole bunch of other
configuration in main.cf, which includes MySQL lookups for transport_maps and
virtual_mailbox_maps. On a single IP address with one TLS certificate, it
routes/accepts mail for domainA and domainB as needed. My assumption above is
that as long as I don't override all the settings that make my mail delivery
work with one IP/TLS certificate, I can just change what TLS certificate is
offered up for each of my IP addresses.
> Otherwise, the Postfix SMTP server will reject mail with "relay
> access denied", and the Postfix SMTP client will reject mail with
> that "mail loops back to myself".
Does my clarification above change your opinion about this? Why wouldn't mail
for domainA and domainB be treated the same as before (when using just one
IP/TLS cert) if I don't override any other settings?
> Note that the Postfix SMTP server does not make all decisions by
> itself. It relies on the trivial-rewrite service to decide how
> a domain should be handled.
>
> There is no official support for multiple domain personalities.
Right, I understand this is not as much a "domain personality" as it is a
per-IP change.
Thanks so very, very much.
