support multi-domain certificates

README.md

@@ -53,8 +53,8 @@ env vars
 
 * **POSTMOOGLE_PORT** - SMTP port to listen for new emails
 * **POSTMOOGLE_TLS_PORT** - secure SMTP port to listen for new emails. Requires valid cert and key as well
-* **POSTMOOGLE_TLS_CERT** - path to the SSL certificate (chain) of your main domain
+* **POSTMOOGLE_TLS_CERT** - space separated list of paths to the SSL certificates (chain) of your domains, note that position in the cert list must match the position of the cert's key in the key list
-* **POSTMOOGLE_TLS_KEY** - path to the SSL certificate's private key of your main domain
+* **POSTMOOGLE_TLS_KEY** - space separated list of paths to the SSL certificates' private keys of your domains, note that position on the key list must match the position of cert in the cert list
 * **POSTMOOGLE_TLS_REQUIRED** - require TLS connection, **even** on the non-TLS port (`POSTMOOGLE_PORT`). TLS connections are always required on the TLS port (`POSTMOOGLE_TLS_PORT`) regardless of this setting.
 * **POSTMOOGLE_DATA_SECRET** - secure key (password) to encrypt account data, must be 16, 24, or 32 bytes long
 * **POSTMOOGLE_NOENCRYPTION** - disable matrix encryption (libolm) support

cmd/cmd.go

@@ -99,8 +99,8 @@ func initSMTP(cfg *config.Config) {
 	smtpm = smtp.NewManager(&smtp.Config{
 		Domains:     cfg.Domains,
 		Port:        cfg.Port,
-		TLSCert:     cfg.TLS.Cert,
+		TLSCerts:    cfg.TLS.Certs,
-		TLSKey:      cfg.TLS.Key,
+		TLSKeys:     cfg.TLS.Keys,
 		TLSPort:     cfg.TLS.Port,
 		TLSRequired: cfg.TLS.Required,
 		LogLevel:    cfg.LogLevel,

config/config.go

@@ -23,8 +23,8 @@ func New() *Config {
 		StatusMsg:    env.String("statusmsg", defaultConfig.StatusMsg),
 		Admins:       env.Slice("admins"),
 		TLS: TLS{
-			Cert:     env.String("tls.cert", defaultConfig.TLS.Cert),
+			Certs:    env.Slice("tls.cert"),
-			Key:      env.String("tls.key", defaultConfig.TLS.Key),
+			Keys:     env.Slice("tls.key"),
 			Required: env.Bool("tls.required"),
 			Port:     env.String("tls.port", defaultConfig.TLS.Port),
 		},

config/types.go

@@ -47,8 +47,8 @@ type DB struct {
 
 // TLS config
 type TLS struct {
-	Cert     string
+	Certs    []string
-	Key      string
+	Keys     []string
 	Port     string
 	Required bool
 }

smtp/manager.go

@@ -18,8 +18,8 @@ type Config struct {
 	Domains []string
 	Port    string
 
-	TLSCert     string
+	TLSCerts    []string
-	TLSKey      string
+	TLSKeys     []string
 	TLSPort     string
 	TLSRequired bool
 
@@ -75,7 +75,7 @@ func NewManager(cfg *Config) *Manager {
 		port:    cfg.Port,
 		tlsPort: cfg.TLSPort,
 	}
-	m.loadTLSConfig(cfg.TLSCert, cfg.TLSKey)
+	m.loadTLSConfig(cfg.TLSCerts, cfg.TLSKeys)
 	return m
 }
 
@@ -123,17 +123,24 @@ func (m *Manager) listen(port string, tlsCfg *tls.Config) {
 	}
 }
 
-func (m *Manager) loadTLSConfig(cert, key string) {
+func (m *Manager) loadTLSConfig(certs, keys []string) {
-	if cert == "" || key == "" {
+	if len(certs) == 0 || len(keys) == 0 {
-		m.log.Warn("SSL certificate is not provided")
+		m.log.Warn("SSL certificates are not provided")
 		return
 	}
 
-	tlsCert, err := tls.LoadX509KeyPair(cert, key)
+	certificates := make([]tls.Certificate, 0, len(certs))
+	for i, path := range certs {
+		tlsCert, err := tls.LoadX509KeyPair(path, keys[i])
 		if err != nil {
 			m.log.Error("cannot load SSL certificate: %v", err)
+		}
+		certificates = append(certificates, tlsCert)
+	}
+	if len(certificates) == 0 {
 		return
 	}
-	m.tlsCfg = &tls.Config{Certificates: []tls.Certificate{tlsCert}}
+
+	m.tlsCfg = &tls.Config{Certificates: certificates}
 	m.smtp.TLSConfig = m.tlsCfg
 }