Set up certs for multiple domains in Postfix and Dovecot

This is done by looking at the unencrypted domain name in the Server Name Indication (SNI) header in the TLS handshake to select the right certificate before any encrypted data is exchanged. At the moment (I'll edit this answer if this changes), Postfix does not support SNI.

Update : SNI support introdcued in postfix 3.4.0 - http://www.postfix.org/announcements/postfix-3.4.0.html

Dovecot, on the other hand, does. See this example configuration:

# Default
ssl_cert = </path/to/default/cert
ssl_key = </path/to/default/private/key

# mail.example.it
local_name mail.example.it {
    ssl_cert = </etc/letsencrypt/live/mail.example.it
    ssl_key = </path/to/mail.example.it/private/key
}

# mail.example.com
local_name mail.example.com {
    ssl_cert = </etc/letsencrypt/live/mail.example.com
    ssl_key = </path/to/mail.example.com/private/key
}

You can leave out each domain's ssl_key if it's the same as the default.

To my knowledge, this is not possible. You have two options:

• Use one domain as the MX for all your other domains that the server should handle. So, if you have a cert configured for example.com and you want also handle mails for example.org, set an MX entry pointing to your example.com server into the example.org zone.
• Use certs with multiple SANs for every domain you need. This means you have only one cert file that covers all your domains.