As of last month postfix added SNI support in version 3.4.0 (it would appear nearly 8 years after it was required by rfc6186 5.b), so probably time to start thinking about the implementation soon. Dovecot of course has had SNI support for a while. A few related rfc's good to reference are: rfc8314: Use of TLS for Email Submission/Access rfc7817: TLS Server Identity Check for Email rfc6186: SRV for Email It seems each domain should have a separate certificate, with one CN name (there are options, but probably mail.domain.tld or the mail server's hostname) and various SAN names added, including the domain itself, mail.domain.tld (or whatever name clients should use according to the service provider's instructions/policy), the mail server's hostname, and all names used in SRV records (_imap, _imaps, _pop3, _pop3s, _submission, _submissions, _sieve), and could include a wildcard *.domain as SAN or even the CN. It would be nice to integrate the SRV records with the certificate generation for a standard hosted mail domain, similar to how DKIM is done. This will need to be implemented after support for ISPConfig managing server certificates is added (which I believe will be via acme.sh?), but should definitely be kept in mind during that implementation as well. Having full (multi-server) DNSSEC support would additionally help clients see less pop-up messages regarding mail certificates in some configurations, as a note (not part of implementing SNI for mail).