On Sun, Jul 13, 2025 at 07:32:46AM -0600, James Lay via Postfix-users wrote:
> My other question: I run split dns here, so what I would LOVE to do is
> have an in house certificate used for smtps and submission which are
> used internally only on the inside interface, and a world valid ( if
> that's the right way to say it ) certificate listening just on smtp on
> the outside interface. Even better would be to have smtp listening on
> the outside interface with one certificate, and smtp listening to the
> inside interface using a different cert, but I don't think that's
> possible.
>
> Thank you for any insights you might have!
You can have as many cerrtificate chains as you want associated with
various listening IP addresses, of also on a single IP address
distinguished by SNI (assuming TLS clients that send SNI, not all do,
they are required to use SNI with DANE, but not necessarily with
opportunistic TLS):
master.cf:
127.0.0.1 inet ... smtpd
-o smtpd_tls_chain_files=$cert_chain0
192.0.2.1 inet ... smtpd
-o smtpd_tls_chain_files=$cert_chain1
192.0.2.2 inet ... smtpd
-o smtpd_tls_chain_files=$cert_chain2
...
main.cf:
cert_chain0 = ${config_directory}/chain0.pem
cert_chain1 = ${config_directory}/chain1.pem
cert_chain2 = ${config_directory}/chain2.pem
...
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
