On Mon, Jul 20, 2020 at 02:36:08PM -0700, PGNet Dev wrote: > i'm modifying a relay config. atm, i've > > master.cf > ... > [127.0.0.1]:10001 inet n - n - - smtpd > ... > -o content_filter=lmdb:/etc/postfix/relay_transports > > relay-out unix - - n - - smtp > -o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy > -o smtp_tls_cert_file=/ssl/client.RSA.crt > -o smtp_tls_key_file=/ssl/client.RSA.key > > cat /etc/postfix/relay_transports > > example1.com relay-out:[mx.example1.com]:25 > example2.com relay-out:[mx.example2.com]:10025 > ... > > cat /etc/postfix/relay_tls_policy > [mx.example1.com]:25 secure match=mx.example1.com > [mx.example2.com]:10025 secure match=mx.example2.com > ... > > > this^ has worked just fine. > > my config, atm, uses the single RSA crt/key for all transports. > > > example2.com has just changed its requirements, and uses/accepts only EC > certs. > > where/how would I specify a per-transport cert/key pair?
You're already doing it per-transport: > relay-out unix - - n - - smtp > -o smtp_tls_policy_maps=lmdb:/etc/postfix/relay_tls_policy > -o smtp_tls_cert_file=/ssl/client.RSA.crt > -o smtp_tls_key_file=/ssl/client.RSA.key Perhaps you meant per-nexthop? That's not presently supported, instead you can configure a second transport, with a different set of keys, and use that transport for the destinations in question. > I considered > > http://www.postfix.org/postconf.5.html#tls_server_sni_maps > > but that seems server-side only (?), Correct, as described. > i also took a look at > > http://www.postfix.org/postconf.5.html#smtp_tls_per_site That interface is deprecated, the preferred one is: > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps[ Which you're already using. > but, again, haven't figured out where/how to provide the per-transport > cert/key mappings. You keep saying "per-transport", but you clearly mean per-destination. But in fact, per-transport is what's possible, and you can choose an appropriate transport for each destination, via the transport(5) table. -- Viktor.
