On 23/03/17 23:06, Viktor Dukhovni wrote:
is it possible to setup separate SSL certificates for an each virtual
domain ?
The Postfix smtpd(8) service does not support SNI-based certificate
selection. And this is not needed. Just point all the virtual domains
at a common MX host with a single certificate.
That is not an appropriate answer for my clients who are paying me to
provide them with their own domain identity at a time when it's almost
impossible to get reasonable sized blocks of IPv4 networks. SNI is a real
thing. Dovecot does it, Courier-MTA fully supports SNI on all protocols
and MUAs will work with SNI.
It absolutely insulates hosting clients from having to change their SMTP
server settings when the hosting provider can make the necessary network
adjustments. If that single MX host has to change (ISP buy out or whatever)
then all clients have to make a mail server setting change, if the provider
had the option of using SNI then the clients "vanity" mail server domain
settings can remain unchanged. That's a big deal when there are more than
a few thousand clients involved over periods of decades.
The only valid reason for not using SNI is when a virtual domain must have
a PTR record but a PTR is not always required, for e.g. a Wordpress site
sending out notifications. Even so, the provider can switch a virtual domain
between SNI and a dedicated IP without the client having to make any changes.
