Since a very long time I am a big fan of hosting my mails one one of my virtual machines in the cloud instead of using a public provider. I am also using some hosted providers, but the majority of my mailboxes is hosted in my own environment.

There is an incredible good description of how to setup such a mail server on ISPmail guide which I can strongly recommend as you don’t only learn a lot about postfix, but also other topics in the area of security and databases which comes in pretty handy a lot. It’s one of the best manuals I ever found and my setup mainly follows Christoph’s excellent guide.
But as I am also a total nerd there are always adjustments – what a surprise 🙂

So basically what I want to accomplish is

1. getting several LetsEncrypt certificates as they are for free
2. automatic renewal of those certificates as they expire after three months
3. after each renewal several services depending on those certificates have to be restarted in order for the certificates to kick in
4. Postfix should be able to use the right certificates for the right domain

For number 1. and 2. there are many good documentations about how to do this. Coming back to the above mentioned ISPmail you find a good documentation there too.

To restart the services which are depending on the certificates in case they got renewed you have to edit the file /etc/letsencrypt/cli.ini and add a line

post-hook = systemctl restart postfix dovecot apache2

Now all that’s left is to tell Postfix which certificate to use when. Usually there is default entry for Postfix in it’s main.cf configuration file which tells him what certificate to use:

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example1.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example1.org/privkey.pem

We add a new line below which will tell Postfix which certificate to use so it becomes

smtpd_tls_cert_file=/etc/letsencrypt/live/mail.example1.org/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.example1.org/privkey.pem
<strong>tls_server_sni_maps=hash:/etc/postfix/vdomainssl.map</strong>

Let’s create this file /etc/postfix/vdomainssl.map:

mail.example1.org /etc/letsencrypt/live/mail.example1.org/privkey.pem /etc/letsencrypt/live/mail.example1.org/fullchain.pem

mail.example2.org /etc/letsencrypt/live/mail.example2.org/privkey.pem /etc/letsencrypt/live/mail.example2.org/fullchain.pem

mail.example3.org /etc/letsencrypt/live/mail.example3.org/privkey.pem /etc/letsencrypt/live/mail.example3.org/fullchain.pem

This will allow you to host different domains with just one IP address using the so called SNI (Server name Indication) functionality (requires Postfix >=3.4). Once the file is created we have to create the required table:

postmap -F hash:/etc/postfix/vdomainssl.map

which will create the according /etc/postfix/vdomainssl.map.db file used by Postfix. After this you should restart Postfix.

And that was that – host multiple domains with just one IP address.