Loading ...
Sorry, an error occurred while loading the content.

Re: SSL Certificates per domain

Expand Messages
  • /dev/rob0
    ... They don t need to be separate instances, possibly just separate smtpd(8) listeners bound per IP address. If you want each smtpd s input to be a separate
    Message 1 of 8 , Jun 1, 2010
    • 0 Attachment
      On Tue, Jun 01, 2010 at 12:23:38PM -0500, Terry Inzauro wrote:
      > Could this be a case where it makes sense to run multiple
      > instances of postfix which bind to different IP's and are each
      > configured with unique certs?

      They don't need to be separate instances, possibly just separate
      smtpd(8) listeners bound per IP address. If you want each smtpd's
      input to be a separate output stream, that would either require
      separate Postfix instances, or the new features in Postfix 2.7
      (release notes and the list archives have more information.)

      Is SNI defined for SMTP yet? A quick Google search didn't find it.
      How would that work? The client would have to tell the hostname or
      domain name wanted before the STARTTLS?
      --
      Offlist mail to this address is discarded unless
      "/dev/rob0" or "not-spam" is in Subject: header
    • Victor Duchovni
      ... SNI works entirely within SSL, the desired hostname is sent in the client SSL HELLO. There is no need to define SNI for SMTP. An MUA that implements SNI
      Message 2 of 8 , Jun 1, 2010
      • 0 Attachment
        On Tue, Jun 01, 2010 at 12:42:06PM -0500, /dev/rob0 wrote:

        > Is SNI defined for SMTP yet? A quick Google search didn't find it.
        > How would that work? The client would have to tell the hostname or
        > domain name wanted before the STARTTLS?

        SNI works entirely within SSL, the desired hostname is sent in the
        client SSL HELLO. There is no need to define SNI for SMTP.

        An MUA that implements SNI for submission, would send the SMTP server
        name it expects to match. This case is easy.

        An MTA delivering mail to an MX host faces a more complex choice,
        because it may be willing to accept a variety of names. The best
        choice would be to send the "nexthop" domain (typically the same
        as the domain of the recipients), and the server will choose a
        cert with that name if it has one, a cert for a sub-domain
        otherwise, and the default cert if neither an exact match, nor
        a sub-domain are available.

        On the client side, we may need to a new policy table attribute to
        allow the client administrator to specify an SNI name other than the
        nexthop.

        Anyway, this is not currently a high priority, if implemented, it would
        largely be just Postfix talking to Postfix. I am not aware of any other
        SMTP+STARTTLS implementations that support SNI.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.