[SSL] create individual domain certificates, add SNI configs for Postfix/Dovecot/Nginx

data/conf/dovecot/dovecot.conf

@@ -272,6 +272,7 @@ service lmtp {
 listen = *,[::]
 ssl_cert = </etc/ssl/mail/cert.pem
 ssl_key = </etc/ssl/mail/key.pem
+!include_try /etc/dovecot/sni.conf
 userdb {
   driver = passwd-file
   args = /etc/dovecot/dovecot-master.userdb

data/conf/nginx/includes/site-defaults.conf

@@ -1,19 +1,8 @@
-server_tokens off;
-proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h  max_size=1g;
-server_names_hash_bucket_size 64;
 
-map $http_x_forwarded_proto $client_req_scheme {
-     default $scheme;
-     https https;
-}
-
-server {
   include /etc/nginx/mime.types;
   charset utf-8;
   override_charset on;
 
-  ssl_certificate /etc/ssl/mail/cert.pem;
-  ssl_certificate_key /etc/ssl/mail/key.pem;
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
   ssl_prefer_server_ciphers on;
@@ -34,11 +23,6 @@ server {
 
   client_max_body_size 0;
 
-  listen 127.0.0.1:65510;
-  include /etc/nginx/conf.d/listen_plain.active;
-  include /etc/nginx/conf.d/listen_ssl.active;
-  include /etc/nginx/conf.d/server_name.active;
-
   gzip on;
   gzip_disable "msie6";
 
@@ -221,4 +205,3 @@ server {
   location @awaitingupstream {
     rewrite ^(.*)$ /_status.502.html break;
   }
-}

data/conf/nginx/templates/listen_plain.template

@@ -1,2 +0,0 @@
-listen ${HTTP_PORT};
-listen [::]:${HTTP_PORT};

data/conf/nginx/templates/listen_ssl.template

@@ -1,2 +0,0 @@
-listen ${HTTPS_PORT} ssl http2;
-listen [::]:${HTTPS_PORT} ssl http2;

data/conf/nginx/templates/server_name.template

@@ -1 +0,0 @@
-server_name ${MAILCOW_HOSTNAME} autodiscover.* autoconfig.*;

data/conf/nginx/templates/sites.template.sh

@@ -0,0 +1,40 @@
+echo '
+server {
+  listen 127.0.0.1:65510;
+  listen '${HTTP_PORT}' default_server;
+  listen [::]:'${HTTP_PORT}' default_server;
+  listen '${HTTPS_PORT}' ssl http2 default_server;
+  listen [::]:'${HTTPS_PORT}' ssl http2 default_server;
+
+  ssl_certificate /etc/ssl/mail/cert.pem;
+  ssl_certificate_key /etc/ssl/mail/key.pem;
+
+  server_name '${MAILCOW_HOSTNAME}' autodiscover.* autoconfig.*;
+
+  include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+for cert_dir in /etc/ssl/mail/*/ ; do
+  if [[ ! -f ${cert_dir}domains ]] || [[ ! -f ${cert_dir}cert.pem ]] || [[ ! -f ${cert_dir}key.pem ]]; then
+    continue
+  fi
+  # remove hostname to not cause nginx warnings (hostname is covered in default server listen)
+  domains="$(cat ${cert_dir}domains | sed -e "s/\(^\| \)\($(echo ${MAILCOW_HOSTNAME} | sed 's/\./\\./g')\)\( \|$\)/ /g" | sed -e 's/^[[:space:]]*//')"
+  if [[ "${domains}" == "" ]]; then
+    continue
+  fi
+  echo -n '
+server {
+  listen '${HTTPS_PORT}' ssl http2;
+  listen [::]:'${HTTPS_PORT}' ssl http2;
+
+  ssl_certificate '${cert_dir}'cert.pem;
+  ssl_certificate_key '${cert_dir}'key.pem;
+';
+  echo -n '
+  server_name '${domains}';
+
+  include /etc/nginx/conf.d/includes/site-defaults.conf;
+}
+';
+done

data/conf/postfix/main.cf

@@ -5,6 +5,7 @@ biff = no
 append_dot_mydomain = no
 smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
 smtpd_tls_key_file = /etc/ssl/mail/key.pem
+tls_server_sni_maps = hash:/opt/postfix/conf/sni.map
 smtpd_use_tls=yes
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
@@ -174,7 +175,7 @@ smtp_address_preference = ipv4
 smtp_sender_dependent_authentication = yes
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_sasl_passwd_maps_sender_dependent.cf
-smtp_sasl_security_options = 
+smtp_sasl_security_options =
 smtp_sasl_mechanism_filter = plain, login
 smtp_tls_policy_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
 smtp_header_checks = pcre:/opt/postfix/conf/anonymize_headers.pcre