On Thu, Aug 14, 2025 at 10:59:05PM +0000, King o Hill via Postfix-users wrote:
> SNI is failing and falling back to the $myhostname certificate despite
> a correct configuration.
>
> alias_database = hash:/etc/aliases
> ...
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_milters = inet:localhost:8891
> smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
> defer_unauth_destination
> smtpd_tls_chain_files = regexp:/etc/postfix/sni_map_regex
I'm surprised you have any certificate at all. That's not a supported
syntax for "smtpd_tls_chain_files". Nor are regexp tables generally
a good idea for the "tls_server_sni_maps" parameter that does employ a
lookup table. The table results are:
a. Contain sensitive key material, and should be readable by the root user
only.
b. Are often large and base64 encoded, so not well suited as regexp or PCRE
table values.
See:
http://www.postfix.org/postconf.5.html#tls_server_sni_maps
Why do you believe you need to use regular expressions to choose the
appropriate server key and certificate chain???
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
