domain name to cert/key file mapping
is there any way to set certificate / key file name depending on domain
name? I mean something similar to this Exim feature:
...or this Dovecot feature:
I guess in Postfix it would be something like smtpd_tls_cert_map /
...key_map, but I haven't found any such option. If such feature is not
supported yet, is it planned?
- Piotr Paw?ow:
> is there any way to set certificate / key file name depending on domainPostfix does not yet implement SNI (RFC 3546). All implemented RFCs
> I guess in Postfix it would be something like smtpd_tls_cert_mapThe developer cycles are limited.
> / ...key_map, but I haven't found any such option. If such feature
> is not supported yet, is it planned?
- On Tue, Jan 08, 2013 at 07:58:38PM -0500, Wietse Venema wrote:
> > is there any way to set certificate / key file name depending on domainThis problem is much harder for SMTP that HTTP, since the MTA does
> > name?
not know with certainty which acceptable certificate a receiving
site is likely to have. It might have a certificate for the recipient
domain, or for the gateway name. SNI only works well when the protocol
clearly specifies the expected SSL peer. This is not the case with
SMTP, given MX record indirection and the logical separation of
the transport and application end-points (gateway vs. domain).
Thus and for other reasons it is very unlikely that Postfix
will support SNI with SMTP any time soon.