SNI for a SMTP server

Let's say I have a dedicated server with some IP (IP1). I'm redirecting multiple domains (say example.com, example.net) to that IP via DNS. I've a single nginx server running here, and I've set up SNI correctly here and it works for HTTPS.

I've also set up MX for both domain to point to server. I've set up a SMTP server listening and it's responding correctly on port 25 by deducing the allowed host from the email address and rejecting any other host's emails.

I've set up TLS for this server but it only allows a single SSL certificate (either for example.com or for example.net). Is there a way, with SMTP, to use SNI (or an equivalent ?) so that, depending on which destination it present the right TLS certificate ?

So far, I haven't found anything for this. My current strategy is to either use a different IP for the different domain (might be possible with IPv6, but not for IPv4 in my case) and run two SMTP servers (one for each host) and a firewall rule to redirect to the different port based on destination IP. This is cumbersome for 2 domains, but if you have more domains, let's say 10 domains, it's not viable at all.

Is there a better strategy ? How do large service providers deals with SMTP for numerous hosts ?


Solution 1:

SNI is not needed here. The verification of the certificate host name is performed against the hostname returned by the MX record, not the domain name in the target email address. So as long as you have made sure that all the MX records for all your domains point to the same hostname, you only need a certificate for that hostname.

In other words, if you have an MX record stating that all emails to the domain example.com should be handled by the mailserver mail.example.net, then the mailserver needs to have a certificate for the hostname mail.example.net only.