Nginx as mail proxy: different domains with different certs
Maxim Dounin
mdounin at mdounin.ru
Sat Oct 1 12:49:15 UTC 2022
Hello!
On Fri, Sep 30, 2022 at 03:29:16PM -0400, achekalin wrote:
> I set up nginx as mail proxy, and it works for one domain, but won't work
> when I try to serve more that one domain each with different SSL
> certificate. Are there any way I can archive that, since nginx as mail proxy
> it quite good and seems to be good solution.
>
> My fail is that I expected from mail servers the same I used to see in http
> server. Say, I tried to write this:
>
> mail {
> ...
> server {
> listen 25;
> protocol smtp;
> server_name mail.domain1.com;
> ssl_certificate mail.domain1.com.fullchain.pem;
> ssl_certificate_key mail.domain1.com.key.pem;
> starttls on;
> proxy on;
> xclient off;
> }
>
> server {
> listen 25;
> protocol smtp;
> server_name mail.domain2.com;
> ssl_certificate mail.domain2.com.fullchain.pem;
> ssl_certificate_key mail.domain2.com.key.pem;
> starttls on;
> proxy on;
> xclient off;
> }
> ...
> }
>
> I expected nginx will choose right 'server' block based on server_name
> (which was wrong assumption) and then will use ssl certificate set in that
> server block.
>
> I do understand I can set up LE certs with many hostnames included but say
> story is that domain list is too big to be included in single cert so I have
> to use more that one server block anyway.
Name-based (including SNI-based) virtual servers are not supported
in the mail proxy module. As such, the remaining options are:
- Use multiple names in a certificate
- Use IP-based (or port-based) virtual servers
You can combine both options as appropriate.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list