Loading ...
Sorry, an error occurred while loading the content.
 

domain name to cert/key file mapping

Expand Messages
  • Piotr Pawłow
    Hello, is there any way to set certificate / key file name depending on domain name? I mean something similar to this Exim feature:
    Message 1 of 3 , Jan 8, 2013
      Hello,

      is there any way to set certificate / key file name depending on domain
      name? I mean something similar to this Exim feature:

      http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni

      ...or this Dovecot feature:

      http://wiki2.dovecot.org/SSL/DovecotConfiguration#Multiple_SSL_certificates

      I guess in Postfix it would be something like smtpd_tls_cert_map /
      ...key_map, but I haven't found any such option. If such feature is not
      supported yet, is it planned?

      Regards
    • Wietse Venema
      ... Postfix does not yet implement SNI (RFC 3546). All implemented RFCs are documented. ... The developer cycles are limited. Wietse
      Message 2 of 3 , Jan 8, 2013
        Piotr Paw?ow:
        > is there any way to set certificate / key file name depending on domain
        > name?

        Postfix does not yet implement SNI (RFC 3546). All implemented RFCs
        are documented.

        > I guess in Postfix it would be something like smtpd_tls_cert_map
        > / ...key_map, but I haven't found any such option. If such feature
        > is not supported yet, is it planned?

        The developer cycles are limited.

        Wietse
      • Viktor Dukhovni
        ... This problem is much harder for SMTP that HTTP, since the MTA does not know with certainty which acceptable certificate a receiving site is likely to have.
        Message 3 of 3 , Jan 8, 2013
          On Tue, Jan 08, 2013 at 07:58:38PM -0500, Wietse Venema wrote:

          > > is there any way to set certificate / key file name depending on domain
          > > name?

          This problem is much harder for SMTP that HTTP, since the MTA does
          not know with certainty which acceptable certificate a receiving
          site is likely to have. It might have a certificate for the recipient
          domain, or for the gateway name. SNI only works well when the protocol
          clearly specifies the expected SSL peer. This is not the case with
          SMTP, given MX record indirection and the logical separation of
          the transport and application end-points (gateway vs. domain).

          Thus and for other reasons it is very unlikely that Postfix
          will support SNI with SMTP any time soon.

          --
          Viktor.
        Your message has been successfully submitted and would be delivered to recipients shortly.