Loading ...
Sorry, an error occurred while loading the content.

is possible to use different SSL certificates for different domains?

Expand Messages
  • marcos gonzalez
    HI Im preparing a server with postfix 2.7.1 and now Im with the process to certificate de connection. I have two domains and normally using multipli domains
    Message 1 of 16 , Feb 25, 2013
    • 0 Attachment
      HI

      Im preparing a server with postfix 2.7.1 and now Im with the process to
      certificate de connection. I have two domains and normally using
      multipli domains certificate ou can join this, but the propierty of
      domains is different and you can't do that. How resolves this problem
      the companies with N domains associated?

      Best Regards
    • Marko Weber | ZBF
      The one Mailserver, that is doing mailing for N Domains, only need one Certificate. Other thing is with websites , they need each one. connect multiple
      Message 2 of 16 , Feb 25, 2013
      • 0 Attachment
        The "one" Mailserver, that is doing mailing for N Domains,
        only need "one" Certificate.

        Other thing is with "websites", they need each one.
        connect multiple ip´s to the server for multiple websites ssl certs.

        but the mailserver only one for himself.

        the other mailserver dont look "what domain" sends the mail, they look
        from where the mail is coming. its coming from your one mailserver.
        so the mailserver only needs one certificate, but can be responsible
        for multiple domains.

        got it?

        (hope its easy explained)

        marko



        Am 2013-02-25 10:33, schrieb marcos gonzalez:
        > HI
        >
        > Im preparing a server with postfix 2.7.1 and now Im with the process
        > to certificate de connection. I have two domains and normally using
        > multipli domains certificate ou can join this, but the propierty of
        > domains is different and you can't do that. How resolves this problem
        > the companies with N domains associated?
        >
        > Best Regards
      • Reindl Harald
        ... we communicate mail.thelounge.net as server which has a cert and we are done, this works relieable and is enough email != http
        Message 3 of 16 , Feb 25, 2013
        • 0 Attachment
          Am 25.02.2013 10:33, schrieb marcos gonzalez:
          > Im preparing a server with postfix 2.7.1 and now Im with the process to certificate de connection. I have two
          > domains and normally using multipli domains certificate ou can join this, but the propierty of domains is different
          > and you can't do that. How resolves this problem the companies with N domains associated?

          we communicate "mail.thelounge.net" as server which has a cert
          and we are done, this works relieable and is enough

          email != http
        • DTNX Postmaster
          ... Have you looked at the mailinglist archives? This question has been asked before, several times, and the answer is always the same :-) If you have, and
          Message 4 of 16 , Feb 25, 2013
          • 0 Attachment
            On Feb 25, 2013, at 10:33, marcos gonzalez <deconya@...> wrote:

            > Im preparing a server with postfix 2.7.1 and now Im with the process to certificate de connection. I have two domains and normally using multipli domains certificate ou can join this, but the propierty of domains is different and you can't do that. How resolves this problem the companies with N domains associated?

            Have you looked at the mailinglist archives? This question has been
            asked before, several times, and the answer is always the same :-)

            If you have, and your question has not been answered, please provide
            the list with a few more specifics about what you are trying to do.

            Cya,
            Jona
          • marcos gonzalez
            Hi Thanks for the answer. I m reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more than one domain,
            Message 5 of 16 , Feb 25, 2013
            • 0 Attachment
              Hi

              Thanks for the answer.

              I'm reading how more of you separates http of mail, is correct but If
              you needs the same SSL certificate for more than one domain, and for
              legal questions you can't include all domains in one certificate, I
              don't know If postfix has the possibility to create a table domains
              where you can say " for this domain this certificate". I know is a very
              special case and not's typical to do, and for this I prefer to comment
              to this list.

              If anyone knows how to create this rule, be grateful

              Thanks

              On 25/02/2013 10:46, Marko Weber | ZBF wrote:
              >
              > The "one" Mailserver, that is doing mailing for N Domains,
              > only need "one" Certificate.
              >
              > Other thing is with "websites", they need each one.
              > connect multiple ip´s to the server for multiple websites ssl certs.
              >
              > but the mailserver only one for himself.
              >
              > the other mailserver dont look "what domain" sends the mail, they look
              > from where the mail is coming. its coming from your one mailserver.
              > so the mailserver only needs one certificate, but can be responsible
              > for multiple domains.
              >
              > got it?
              >
              > (hope its easy explained)
              >
              > marko
              >
              >
              >
              > Am 2013-02-25 10:33, schrieb marcos gonzalez:
              >> HI
              >>
              >> Im preparing a server with postfix 2.7.1 and now Im with the process
              >> to certificate de connection. I have two domains and normally using
              >> multipli domains certificate ou can join this, but the propierty of
              >> domains is different and you can't do that. How resolves this problem
              >> the companies with N domains associated?
              >>
              >> Best Regards
              >
            • Reindl Harald
              ... you need to understand how SSL works at all and you would realize that this is not possible the SSL handshake happens at the connection time you CAN NOT
              Message 6 of 16 , Feb 25, 2013
              • 0 Attachment
                Am 25.02.2013 11:38, schrieb marcos gonzalez:
                > I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                > than one domain, and for legal questions you can't include all domains in one certificate, I don't know If postfix
                > has the possibility to create a table domains where you can say " for this domain this certificate". I know is a
                > very special case and not's typical to do, and for this I prefer to comment to this list.

                you need to understand how SSL works at all and
                you would realize that this is not possible

                the SSL handshake happens at the connection time
                you CAN NOT switch to a different certificate in a EXISTING connection

                forget it, it is not possible and it will never be possible
                you can setup a dedicated IP address and multiple interfaces
                with their own configuration, but this is a completly useless
                work - you do not need different domain names at SMTP/POP3/IMAP
                for secure encryption and anybody which tells you it is required
                is a fool without technical knowledge
              • Wietse Venema
                ... Postfix does not yet implement SNI which allows a client to specify what server name it wants to connect to. What SMTP clients require this? Wietse
                Message 7 of 16 , Feb 25, 2013
                • 0 Attachment
                  Reindl Harald:
                  > > I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                  > > than one domain, and for legal questions you can't include all domains in one certificate, I don't know If postfix
                  > > has the possibility to create a table domains where you can say " for this domain this certificate". I know is a
                  > > very special case and not's typical to do, and for this I prefer to comment to this list.
                  >
                  > you need to understand how SSL works at all and
                  > you would realize that this is not possible

                  Postfix does not yet implement "SNI" which allows a client to
                  specify what server name it wants to connect to.

                  What SMTP clients require this?

                  Wietse
                • Reindl Harald
                  ... no client does require this we have here as often another user who thinks he needs mail.domain1.tld , mail.domain2.tld .... for whatever reasons instead
                  Message 8 of 16 , Feb 25, 2013
                  • 0 Attachment
                    Am 25.02.2013 12:59, schrieb Wietse Venema:
                    > Reindl Harald:
                    >>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                    >>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If postfix
                    >>> has the possibility to create a table domains where you can say " for this domain this certificate". I know is a
                    >>> very special case and not's typical to do, and for this I prefer to comment to this list.
                    >>
                    >> you need to understand how SSL works at all and
                    >> you would realize that this is not possible
                    >
                    > Postfix does not yet implement "SNI" which allows a client to
                    > specify what server name it wants to connect to.
                    >
                    > What SMTP clients require this?

                    no client does require this

                    we have here as often another user who thinks he needs
                    "mail.domain1.tld", "mail.domain2.tld".... for whatever
                    reasons instead simply use "mail.hiscompany.tld", buy
                    a certificate for this domain, give all users this hostname
                    and all is ready and done
                  • Viktor Dukhovni
                    ... For the most recent variant of the usual answers, see: http://archives.neohapsis.com/archives/postfix/2013-01/0174.html
                    Message 9 of 16 , Feb 25, 2013
                    • 0 Attachment
                      On Mon, Feb 25, 2013 at 10:33:09AM +0100, marcos gonzalez wrote:

                      > Im preparing a server with postfix 2.7.1 and now Im with the process
                      > to certificate de connection. I have two domains and normally using
                      > multipli domains certificate ou can join this, but the propierty of
                      > domains is different and you can't do that. How resolves this
                      > problem the companies with N domains associated?

                      For the most recent variant of the usual answers, see:

                      http://archives.neohapsis.com/archives/postfix/2013-01/0174.html
                      http://archives.neohapsis.com/archives/postfix/2013-01/0657.html

                      and similar older answers. Admittedly, these answers are all
                      predicated on the idea that the client is an MTA, sending messages
                      to a destination domain via MX records, ...

                      If the client is an MUA (say Thunderbird), and Postfix is the MSA,
                      then indeed the client posesses an unambiguous TLS destination
                      host, and may well be SNI capable. One could perhaps attempt to
                      make the case that Postfix should support the server side of SNI
                      on the submission port.

                      However, to date all the OPs who've asked for SNI have motivated
                      it by saying they're receiving email for multiple domains. This is
                      not MUA->MSA use-case above and is subject to my standard objection.

                      If someone is instead hosting many independnt MSA services on a
                      single machine (or cluster of machines).


                      smtp.example.net:587
                      smtp.example.com:587
                      smtp.example.org:587
                      ...

                      rather than just:

                      smtp.example.net:587

                      and has a compelling reason for doing this, we'd at least have a
                      rational basis for discussing the merits of SNI in Postfix. Mind
                      you, at this point my efforts are going to be focused on DANE (RFC
                      6698), which makes the whole issue go away, since each domain can
                      securely bind to the same trusted public key via DNSSEC (via a
                      CNAME!) and there's no longer any need for multiple certs.

                      _587._tcp.smtp.example.net. IN TLSA 3 1 1 0123456789abcdef...
                      ; + RRSIG

                      _587._tcp.smtp.example.com. IN CNAME _587._tcp.smtp.example.net.
                      ; + RRSIG

                      _587._tcp.smtp.example.org. IN CNAME _587._tcp.smtp.example.net.
                      ; + RRSIG

                      I see negligible benefit from an SNI implementation for Postfix.

                      Is it time to add an anti-SNI rationale section to TLS_README? This
                      would set a bad precedent, there is no limit to the number of
                      non-features we could document.

                      --
                      Viktor.
                    • Marko Weber | ZBF
                      in other words NO. in reality outside you dont do this. the MAILSEERVER authenticates his self with his Cert/key/CA. NOT the Domains self he is responsible
                      Message 10 of 16 , Feb 25, 2013
                      • 0 Attachment
                        in other words NO.
                        in reality outside you dont do this.

                        the MAILSEERVER authenticates his self with his Cert/key/CA.
                        NOT the Domains self he is responsible for.

                        So it doesnt matter, how many domains the mailserver is responsible
                        for.
                        You need only one Cert/Key for the Mailserver.

                        On Https its another thingie, there the clients are anonmyous.

                        The Mailserver dont connect to another server and wants to upload there
                        an mail and says "hello for DOMAIN tricky.com i wil upload a mail, and
                        this is the cert/key/ca for tricky.com"

                        The Mailserver connects to other Mailserver and says, hello I AM
                        MAILSERVER SUPERMOFO.net , and i will upload you a mail from tricky.com.
                        Heres the cert/key/CA for SUPERMOFO.net.

                        do you understand now?

                        u tell via DNS WHAT mailsever is responsible for the mailexcange for
                        tricky.com

                        thats it.

                        marko

                        a very great howto/guide that made many things clear for me the last
                        days was: http://www.postfix.org/TLS_README.html

                        please, forget your mumpitz with hundreds of certs for domains on a
                        mailserver.
                        You DONT need it.


                        Am 2013-02-25 11:38, schrieb marcos gonzalez:
                        > Hi
                        >
                        > Thanks for the answer.
                        >
                        > I'm reading how more of you separates http of mail, is correct but If
                        > you needs the same SSL certificate for more than one domain, and for
                        > legal questions you can't include all domains in one certificate, I
                        > don't know If postfix has the possibility to create a table domains
                        > where you can say " for this domain this certificate". I know is a
                        > very special case and not's typical to do, and for this I prefer to
                        > comment to this list.
                        >
                        > If anyone knows how to create this rule, be grateful
                        >
                        > Thanks
                        >
                        > On 25/02/2013 10:46, Marko Weber | ZBF wrote:
                        >>
                        >> The "one" Mailserver, that is doing mailing for N Domains,
                        >> only need "one" Certificate.
                        >>
                        >> Other thing is with "websites", they need each one.
                        >> connect multiple ip´s to the server for multiple websites ssl certs.
                        >>
                        >> but the mailserver only one for himself.
                        >>
                        >> the other mailserver dont look "what domain" sends the mail, they
                        >> look
                        >> from where the mail is coming. its coming from your one mailserver.
                        >> so the mailserver only needs one certificate, but can be responsible
                        >> for multiple domains.
                        >>
                        >> got it?
                        >>
                        >> (hope its easy explained)
                        >>
                        >> marko
                        >>
                        >>
                        >>
                        >> Am 2013-02-25 10:33, schrieb marcos gonzalez:
                        >>> HI
                        >>>
                        >>> Im preparing a server with postfix 2.7.1 and now Im with the
                        >>> process
                        >>> to certificate de connection. I have two domains and normally using
                        >>> multipli domains certificate ou can join this, but the propierty of
                        >>> domains is different and you can't do that. How resolves this
                        >>> problem
                        >>> the companies with N domains associated?
                        >>>
                        >>> Best Regards
                        >>
                      • Birta Levente
                        ... I use multiple certificate on multiple domains with multiple postfix instances :) http://www.postfix.org/MULTI_INSTANCE_README.html
                        Message 11 of 16 , Feb 25, 2013
                        • 0 Attachment
                          On 25/02/2013 12:38, marcos gonzalez wrote:
                          > Hi
                          >
                          > Thanks for the answer.
                          >
                          > I'm reading how more of you separates http of mail, is correct but If
                          > you needs the same SSL certificate for more than one domain, and for
                          > legal questions you can't include all domains in one certificate, I
                          > don't know If postfix has the possibility to create a table domains
                          > where you can say " for this domain this certificate". I know is a
                          > very special case and not's typical to do, and for this I prefer to
                          > comment to this list.
                          >
                          > If anyone knows how to create this rule, be grateful
                          >

                          I use multiple certificate on multiple domains with multiple postfix
                          instances :)

                          http://www.postfix.org/MULTI_INSTANCE_README.html
                        • Reindl Harald
                          ... have fun if you are growing up to 100, 200, 300, 500 domains ypur administration overhead will grow dramatically for zero benefit or you have sooner or
                          Message 12 of 16 , Feb 25, 2013
                          • 0 Attachment
                            Am 25.02.2013 21:54, schrieb Birta Levente:
                            > On 25/02/2013 12:38, marcos gonzalez wrote:
                            >> Hi
                            >>
                            >> Thanks for the answer.
                            >>
                            >> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                            >> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                            >> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                            >> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                            >>
                            >> If anyone knows how to create this rule, be grateful
                            >>
                            >
                            > I use multiple certificate on multiple domains with multiple postfix instances :)
                            >
                            > http://www.postfix.org/MULTI_INSTANCE_README.html

                            have fun if you are growing up to 100, 200, 300, 500 domains

                            ypur administration overhead will grow dramatically for zero
                            benefit or you have sooner or later to go back to a unified
                            servername

                            the idiot who was admin befor eme also thought it is cool
                            to have "mail.domain.tld" and communicate it for his 5
                            domains, now as we are have some hundret of them i am
                            happy that i have made the step to unify it to "mail.thelounge.net"
                            with ONE certificate and ONE ip-address for keep things simple
                          • Birta Levente
                            ... Absolutely right. But in my case (and possibly others) it s about 10 domains ... and only 2 have different certificate/IP .... because ...well ... they
                            Message 13 of 16 , Feb 25, 2013
                            • 0 Attachment
                              On 25/02/2013 22:59, Reindl Harald wrote:
                              >
                              > Am 25.02.2013 21:54, schrieb Birta Levente:
                              >> On 25/02/2013 12:38, marcos gonzalez wrote:
                              >>> Hi
                              >>>
                              >>> Thanks for the answer.
                              >>>
                              >>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                              >>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                              >>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                              >>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                              >>>
                              >>> If anyone knows how to create this rule, be grateful
                              >>>
                              >> I use multiple certificate on multiple domains with multiple postfix instances :)
                              >>
                              >> http://www.postfix.org/MULTI_INSTANCE_README.html
                              > have fun if you are growing up to 100, 200, 300, 500 domains
                              >
                              > ypur administration overhead will grow dramatically for zero
                              > benefit or you have sooner or later to go back to a unified
                              > servername
                              >
                              > the idiot who was admin befor eme also thought it is cool
                              > to have "mail.domain.tld" and communicate it for his 5
                              > domains, now as we are have some hundret of them i am
                              > happy that i have made the step to unify it to "mail.thelounge.net"
                              > with ONE certificate and ONE ip-address for keep things simple
                              >

                              Absolutely right. But in my case (and possibly others) it's about 10
                              domains ... and only 2 have different certificate/IP .... because
                              ...well ... they have ... it's from situation to situation...
                            • Reindl Harald
                              ... so setup a vritual machine for them or explain them that it is useless - the argumentation is simple: price let them pay enough to maintain their VN s and
                              Message 14 of 16 , Feb 25, 2013
                              • 0 Attachment
                                Am 25.02.2013 22:39, schrieb Birta Levente:
                                >
                                > On 25/02/2013 22:59, Reindl Harald wrote:
                                >>
                                >> Am 25.02.2013 21:54, schrieb Birta Levente:
                                >>> On 25/02/2013 12:38, marcos gonzalez wrote:
                                >>>> Hi
                                >>>>
                                >>>> Thanks for the answer.
                                >>>>
                                >>>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                                >>>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                                >>>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                                >>>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                                >>>>
                                >>>> If anyone knows how to create this rule, be grateful
                                >>>>
                                >>> I use multiple certificate on multiple domains with multiple postfix instances :)
                                >>>
                                >>> http://www.postfix.org/MULTI_INSTANCE_README.html
                                >> have fun if you are growing up to 100, 200, 300, 500 domains
                                >>
                                >> ypur administration overhead will grow dramatically for zero
                                >> benefit or you have sooner or later to go back to a unified
                                >> servername
                                >>
                                >> the idiot who was admin befor eme also thought it is cool
                                >> to have "mail.domain.tld" and communicate it for his 5
                                >> domains, now as we are have some hundret of them i am
                                >> happy that i have made the step to unify it to "mail.thelounge.net"
                                >> with ONE certificate and ONE ip-address for keep things simple
                                >>
                                >
                                > Absolutely right. But in my case (and possibly others) it's about 10 domains ... and only 2 have different
                                > certificate/IP .... because ...well ... they have ... it's from situation to situation...

                                so setup a vritual machine for them or explain them
                                that it is useless - the argumentation is simple: price

                                let them pay enough to maintain their VN's and if they
                                do not want to pay, well, give them a setup which works
                                for 100, 500, 1000, 5000 domains perfectly
                              • /dev/rob0
                                ... Rather than putting it in TLS_README, I think a FAQ would be more fitting. I know we used to have a FAQ document, but it has long ago been abandoned. We
                                Message 15 of 16 , Feb 27, 2013
                                • 0 Attachment
                                  On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                                  > I see negligible benefit from an SNI implementation for Postfix.
                                  >
                                  > Is it time to add an anti-SNI rationale section to TLS_README? This
                                  > would set a bad precedent, there is no limit to the number of
                                  > non-features we could document.

                                  Rather than putting it in TLS_README, I think a FAQ would be more
                                  fitting. I know we used to have a FAQ document, but it has long ago
                                  been abandoned. We get a lot of the same questions here, and some
                                  ardent Googlers still stumble upon the old faq.html page.

                                  Perhaps rather than a DNS_README as you suggested in another thread,
                                  that could be worked into a FAQ? I agree, DNS is a vital subject to
                                  most MTA administrators, but here too it's not going to cover actual
                                  Postfix features, for the most part.
                                  --
                                  http://rob0.nodns4.us/ -- system administration and consulting
                                  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                                • Fernando Maior
                                  May be we can put that into the Postfix documentation page, in Specific environments section. Also, may be DNS can be there, both are environments
                                  Message 16 of 16 , Mar 3, 2013
                                  • 0 Attachment
                                    May be we can put that into the Postfix documentation page, in "Specific environments" section. Also, may be DNS can be there, both are "environments" anyway...

                                    Just 2 cents...

                                    Best regards,
                                    ---
                                    Fernando Maciel Souto Maior

                                    On Wed, Feb 27, 2013 at 6:17 PM, /dev/rob0 <rob0@...> wrote:
                                    On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                                    > I see negligible benefit from an SNI implementation for Postfix.
                                    >
                                    > Is it time to add an anti-SNI rationale section to TLS_README? This
                                    > would set a bad precedent, there is no limit to the number of
                                    > non-features we could document.

                                    Rather than putting it in TLS_README, I think a FAQ would be more
                                    fitting. I know we used to have a FAQ document, but it has long ago
                                    been abandoned. We get a lot of the same questions here, and some
                                    ardent Googlers still stumble upon the old faq.html page.

                                    Perhaps rather than a DNS_README as you suggested in another thread,
                                    that could be worked into a FAQ? I agree, DNS is a vital subject to
                                    most MTA administrators, but here too it's not going to cover actual
                                    Postfix features, for the most part.
                                    --
                                      http://rob0.nodns4.us/ -- system administration and consulting
                                      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

                                  Your message has been successfully submitted and would be delivered to recipients shortly.