Multiple domains and email certificate issues


Dear All,

On the topic of email certificate issues I’ve just noticed that the following guides have been added to the Bytemark documentation library:

The guides seem to suggest that the one-time changes will overcome the issue of having to use the FQDN or a generic domain to collect mail without ssl certificate mismatch issues.

Am I correct in assuming that the guide at the link below is now superseded by the above:

Are my assumptions correct?

Regards Pete

Update from Bytemark:

Hi Pete,

Yes, for email certificates the older guide would be superseded, since you’d be
removing the reliance on /etc/ssl to find certificates (which could only be for one
domain), in favour of dynamically searching /srv/*/config/ssl/current/ (which can be
any domain you have setup in the /srv directory).

Just to bear in mind, if you add a new domain to your server in the future you’ll
need to run through the Dovecot guide again as it’s unfortunately not as intelligent
as Exim.

A tad unrelated, but the older guide may still prove useful if you were wanting to
change the certificate used by FTP TLS, as that’ll still rely on the /etc/ssl
directory to find a certificate.
Kind regards,


Has anyone out there tried the new SNI guides? Are there any drawbacks?


I’ve not tried the guides but just a quick comment…

Less inquisitive, I’d say. :wink:

This sounds ripe for symbiosis automagic. /etc/symbiosis/ssl-hooks.d/dovecot-sni-config rebuilds dovecot config file(s) after every ssl-update & restarts the service. The main dovecot config file includes a default cert and says something like:

!include_try /etc/dovecot/symbiosis-sites/*.conf

(I’d love to know where/why the “!” syntax arrived)

What could go wrong? :wink:


I’ve just created a new SymStretch vm with the intention of implimenting SNI for Exim and Dovecot using the following guides:

From the outside world I find the SNI for Exim guide a little vague becasue I’m unsure whether I’m meant to replace the file /etc/exim4/symbiosis.d/00-main/50-tls-options with the extract from the guide or just edit portions of the file?

Please add some clarity Bytemark.


It looks clear and well commented from here but maybe my exim bubble is stronger than I thought. It’s an ‘Edit’ – you’re adding a line for logging, changing the tls_certificate value and commenting out tls_privatekey. The rest is as-is.


The SNI docs do indeed provide sufficient clarity. I now have 2 test domains sending and receiving mail without certificate issues. This is significant for me because I have needed to migrate a long standing domain and 300 email accounts from a machine running Wheezy. Having 300 email users change their in/out mail settings to reflect the FQDN or an alternative domain would have been emotional.


Sounds good! Thanks for posting and path-finding.


Reference to the SNI guides really needs including within the Symbiosis tech docs.


Update: ignore this now, I’ve sorted it.

I’ve just raised a new thread as I couldn’t find this, or similar, threads before.

Are you saying you can use the domain name itself as the incoming/outgoing mail server, rather than the machine name?

I’ve gone through the guide for exim and it appears to have installed correctly, however if I use a domain name instead of the machine name, I get an invalid server message.

Am I expecting the wrong thing?