Critical Issue with SNI/TLS in Postfix 3.4.7

aaP_jpd

Hi there,

I'm writing regarding a critical issue with multiple SSL certificate configuration in the mail server.

Initial Problem:
One of our mail domains (mail.dominio1.com) was presenting an expired SSL certificate even though the certificate had been properly renewed in AApanel. This caused specific applications to fail when sending emails.

Diagnosis Performed:
We investigated the issue and found that:

We have 3 mail domains configured:

mail.domain1.com (certificate valid until 2025-12-01)

mail.domain2.com (certificate valid until 2025-11-11)

mail.domain3.com (certificate valid until 2025-10-28)

Each domain has its SSL certificate correctly assigned in AApanel and working for HTTP/HTTPS.

The problem is specific to Postfix - when connecting via SMTP/STARTTLS, certificates are not presented correctly.

Troubleshooting Performed:
We attempted to configure SNI (Server Name Indication) in Postfix using:

Multiple formats of tls_server_sni_maps

Separate maps for certificates and keys

Different syntaxes (with |, with spaces, etc.)

Result: Postfix 3.4.7 (current version in AApanel) does not properly support SNI with file paths. It always interprets paths as BASE64 data instead of file paths, generating errors:

"warning: table hash:/etc/postfix/vmail_ssl.map.db: key mail.dominio1.com: malformed BASE64 value
warning: tls_server_sni_maps: mail.dominio1.com map lookup problem..."

Questions/Requests:
Why did this problem suddenly start? Was there any change in AApanel that affected Postfix configuration?

Is there a specific AApanel configuration for handling multiple certificates in Postfix that we're not using?

Can you update Postfix to a more recent version (3.5+) that properly supports SNI?

Is there an alternative solution within AApanel for this problem?

Current Impact:
As a temporary solution we're using a single certificate for all domains, but this:

Is not technically correct

May cause issues with applications that strictly validate certificates

Doesn't utilize the individual certificates we already have configured

Relevant Versions:

Postfix: 3.4.7

AApanel: 7.0.22

OS: CentOS 7

We would appreciate your prompt attention to this matter as it affects mail functionality for multiple domains.

We look forward to your response.

PD: We have confirmed that the same issue is occurring in Postfix 3.6.4 on another server running AApanel 7.0.26, indicating that this may be an AApanel-specific limitation/configuration and not a Postfix version issue.

aaP_jpd

hi, any fix for this?...thanks!

aaPanel_Kern

Hello,
Thanks for your feedback, we will test it

aaP_neived78

Yes, I completely understand what you mean. I’ve had the same headache before, and it’s extremely confusing when the certificates look fine everywhere except for SMTP. Sometimes it feels like Postfix just ignores logic 😅. In my case, switching things around in the config didn’t really help much either. I just used one cert temporarily, too, until AApanel sorted out the SNI bit. I hope they push an update soon — it’s kind of annoying when everything else works perfectly and this one part keeps acting up.

aaP_jpd

Hi, any info about it?...thanks

aaP_countrysite547

It really looks like Postfix is getting confused with the SNI setup — as if it’s reading the certificate paths as plain text instead of actual files. I’ve seen a Panel update quietly reset or rebuild mail configs before, which could explain why this started suddenly. It might be worth checking if the panel’s scripts overwrote something in /etc/postfix after the last update.

aaP_jpd

hello, any fix for this?...thanks!