Wait, what did that command exactly? I run it, reloaded postfix, and the problem seems to be gone!
From the man page I've just read again (for the third time...):
When the -F option is given, the value must specify one or more filenames separated by comma and/or whiteâspace; postmap(1) will concatenate the file content (with a newline character inserted between files) and will store the base64-encoded result instead of the value.
So it actually reads the contents of the files. So it really is a cache of some sorts.
Seems to me you'll need to put postmap -F hash:/etc/postfix/sni
in a deploy hook in certbot.
But good news it worked! Because I can't even get tls_server_sni_maps
working at all.
Jul 9 18:09:53 server postfix/smtpd[23582]: warning: key at index 1 in SNI data for example.com does not match next certificate
Luckily I can go back to legacy TLS now you've got things working
Just tested the solution on my second server, where the same problem showed up. It works! Many many thanks for your patience and your time! That was a big burden for me, You helped me a lot.
Let me know when I can give you more infos about my tls_server_sni_maps
config. It worked out of the box, following the above guide.
Thanks. Might take you up on that one day, but not now I hate it when software acts strangely and if Postfix were a physical object, it was probably flying out the window about now. Besides, it works nicely now. At the moment I have one A/AAAA hostname for my Postfix and changing everything into different SNI's would be a DNS hassle too. Also, how many SMTP clients are actually using SNI? Could you perhaps see that in your logs? If a lot of SMTP clients don't even get the correct certificate, it's no use.
But what would be the alternative when you host several domains on one server?
I just specify the same hostname for all the different MX records in the DNS for all the domains.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.