diff -Nur -p 01_sni-1/imap/tls.c 01_sni-2/imap/tls.c
--- 01_sni-1/imap/tls.c	2015-05-13 17:31:55.000000000 +0200
+++ 01_sni-2/imap/tls.c	2015-05-15 09:12:37.000000000 +0200
@@ -315,11 +315,48 @@ static int verify_callback(int ok, X509_
 static int servername_callback(SSL *ssl, int *ad __attribute__((unused)),
 			       void *arg __attribute__((unused)))
 {
-    const char *servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+    char       cert_file[256], key_file[256];
+    const char *cert_dir, *key_dir;
+    const char *servername;
 
-    if (servername) {
-	syslog(LOG_DEBUG, "TLS Server Name Indication (SNI) Extension: \"%s\"",
-	       servername);
+    servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
+
+    if (servername == NULL) {
+	return SSL_TLSEXT_ERR_OK;
+    }
+
+    syslog(LOG_DEBUG, "TLS Server Name Indication (SNI) Extension: \"%s\"",
+           servername);
+
+    if (strchr(servername, '/') != NULL) {
+	return SSL_TLSEXT_ERR_OK;
+    }
+
+    cert_dir = config_getstring(IMAPOPT_TLS_SERVER_CERT_DIR);
+
+    if (cert_dir == NULL) {
+	return SSL_TLSEXT_ERR_OK;
+    }
+
+    key_dir = config_getstring(IMAPOPT_TLS_SERVER_KEY_DIR);
+
+    if (key_dir == NULL) {
+	key_dir = cert_dir;
+    }
+
+    snprintf(cert_file, sizeof(cert_file), "%s/%s.pem", cert_dir, servername);
+    snprintf(key_file, sizeof(key_file), "%s/%s.pem", key_dir, servername);
+
+    syslog(LOG_INFO, "TLS/SNI: cert=%s, key=%s", cert_file, key_file);
+
+    if (SSL_use_certificate_file(ssl, cert_file, SSL_FILETYPE_PEM) <= 0) {
+	syslog(LOG_ERR, "unable to get certificate from '%s'", cert_file);
+	return SSL_TLSEXT_ERR_OK;
+    }
+
+    if (SSL_use_PrivateKey_file(ssl, key_file, SSL_FILETYPE_PEM) <= 0) {
+	syslog(LOG_ERR, "unable to get private key from '%s'", key_file);
+	return SSL_TLSEXT_ERR_OK;
     }
 
     return SSL_TLSEXT_ERR_OK;
diff -Nur -p 01_sni-1/lib/imapoptions 01_sni-2/lib/imapoptions
--- 01_sni-1/lib/imapoptions	2015-05-13 17:31:55.000000000 +0200
+++ 01_sni-2/lib/imapoptions	2015-05-15 09:12:37.000000000 +0200
@@ -1910,10 +1910,19 @@ product version in the capabilities */
 { "tls_server_cert", NULL, STRING }
 /* File containing the certificate presented to clients. */
 
+{ "tls_server_cert_dir", NULL, STRING }
+/* Path to a directory containing certificates for virtual domains. This
+   directory must have filenames of the form \fIservername\fR.pem. */
+
 { "tls_server_key", NULL, STRING }
 /* File containing the private key belonging to the certificate in
    tls_server_cert. */
 
+{ "tls_server_key_dir", NULL, STRING }
+/* Path to a directory containing private keys belonging to certificates
+   in \fItls_server_cert_dir\fR. This directory must have filenames of
+   the form \fIservername\fR.pem. */
+
 { "tls_sessions_db", "twoskip", STRINGLIST("berkeley", "berkeley-nosync", "berkeley-hash", "berkeley-hash-nosync", "skiplist", "sql", "twoskip")}
 /* The cyrusdb backend to use for the TLS cache. */