Loading ...
Sorry, an error occurred while loading the content.

Re: is possible to use different SSL certificates for different domains?

Expand Messages
  • Wietse Venema
    ... Postfix does not yet implement SNI which allows a client to specify what server name it wants to connect to. What SMTP clients require this? Wietse
    Message 1 of 16 , Feb 25, 2013
    • 0 Attachment
      Reindl Harald:
      > > I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
      > > than one domain, and for legal questions you can't include all domains in one certificate, I don't know If postfix
      > > has the possibility to create a table domains where you can say " for this domain this certificate". I know is a
      > > very special case and not's typical to do, and for this I prefer to comment to this list.
      >
      > you need to understand how SSL works at all and
      > you would realize that this is not possible

      Postfix does not yet implement "SNI" which allows a client to
      specify what server name it wants to connect to.

      What SMTP clients require this?

      Wietse
    • Reindl Harald
      ... no client does require this we have here as often another user who thinks he needs mail.domain1.tld , mail.domain2.tld .... for whatever reasons instead
      Message 2 of 16 , Feb 25, 2013
      • 0 Attachment
        Am 25.02.2013 12:59, schrieb Wietse Venema:
        > Reindl Harald:
        >>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
        >>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If postfix
        >>> has the possibility to create a table domains where you can say " for this domain this certificate". I know is a
        >>> very special case and not's typical to do, and for this I prefer to comment to this list.
        >>
        >> you need to understand how SSL works at all and
        >> you would realize that this is not possible
        >
        > Postfix does not yet implement "SNI" which allows a client to
        > specify what server name it wants to connect to.
        >
        > What SMTP clients require this?

        no client does require this

        we have here as often another user who thinks he needs
        "mail.domain1.tld", "mail.domain2.tld".... for whatever
        reasons instead simply use "mail.hiscompany.tld", buy
        a certificate for this domain, give all users this hostname
        and all is ready and done
      • Viktor Dukhovni
        ... For the most recent variant of the usual answers, see: http://archives.neohapsis.com/archives/postfix/2013-01/0174.html
        Message 3 of 16 , Feb 25, 2013
        • 0 Attachment
          On Mon, Feb 25, 2013 at 10:33:09AM +0100, marcos gonzalez wrote:

          > Im preparing a server with postfix 2.7.1 and now Im with the process
          > to certificate de connection. I have two domains and normally using
          > multipli domains certificate ou can join this, but the propierty of
          > domains is different and you can't do that. How resolves this
          > problem the companies with N domains associated?

          For the most recent variant of the usual answers, see:

          http://archives.neohapsis.com/archives/postfix/2013-01/0174.html
          http://archives.neohapsis.com/archives/postfix/2013-01/0657.html

          and similar older answers. Admittedly, these answers are all
          predicated on the idea that the client is an MTA, sending messages
          to a destination domain via MX records, ...

          If the client is an MUA (say Thunderbird), and Postfix is the MSA,
          then indeed the client posesses an unambiguous TLS destination
          host, and may well be SNI capable. One could perhaps attempt to
          make the case that Postfix should support the server side of SNI
          on the submission port.

          However, to date all the OPs who've asked for SNI have motivated
          it by saying they're receiving email for multiple domains. This is
          not MUA->MSA use-case above and is subject to my standard objection.

          If someone is instead hosting many independnt MSA services on a
          single machine (or cluster of machines).


          smtp.example.net:587
          smtp.example.com:587
          smtp.example.org:587
          ...

          rather than just:

          smtp.example.net:587

          and has a compelling reason for doing this, we'd at least have a
          rational basis for discussing the merits of SNI in Postfix. Mind
          you, at this point my efforts are going to be focused on DANE (RFC
          6698), which makes the whole issue go away, since each domain can
          securely bind to the same trusted public key via DNSSEC (via a
          CNAME!) and there's no longer any need for multiple certs.

          _587._tcp.smtp.example.net. IN TLSA 3 1 1 0123456789abcdef...
          ; + RRSIG

          _587._tcp.smtp.example.com. IN CNAME _587._tcp.smtp.example.net.
          ; + RRSIG

          _587._tcp.smtp.example.org. IN CNAME _587._tcp.smtp.example.net.
          ; + RRSIG

          I see negligible benefit from an SNI implementation for Postfix.

          Is it time to add an anti-SNI rationale section to TLS_README? This
          would set a bad precedent, there is no limit to the number of
          non-features we could document.

          --
          Viktor.
        • Marko Weber | ZBF
          in other words NO. in reality outside you dont do this. the MAILSEERVER authenticates his self with his Cert/key/CA. NOT the Domains self he is responsible
          Message 4 of 16 , Feb 25, 2013
          • 0 Attachment
            in other words NO.
            in reality outside you dont do this.

            the MAILSEERVER authenticates his self with his Cert/key/CA.
            NOT the Domains self he is responsible for.

            So it doesnt matter, how many domains the mailserver is responsible
            for.
            You need only one Cert/Key for the Mailserver.

            On Https its another thingie, there the clients are anonmyous.

            The Mailserver dont connect to another server and wants to upload there
            an mail and says "hello for DOMAIN tricky.com i wil upload a mail, and
            this is the cert/key/ca for tricky.com"

            The Mailserver connects to other Mailserver and says, hello I AM
            MAILSERVER SUPERMOFO.net , and i will upload you a mail from tricky.com.
            Heres the cert/key/CA for SUPERMOFO.net.

            do you understand now?

            u tell via DNS WHAT mailsever is responsible for the mailexcange for
            tricky.com

            thats it.

            marko

            a very great howto/guide that made many things clear for me the last
            days was: http://www.postfix.org/TLS_README.html

            please, forget your mumpitz with hundreds of certs for domains on a
            mailserver.
            You DONT need it.


            Am 2013-02-25 11:38, schrieb marcos gonzalez:
            > Hi
            >
            > Thanks for the answer.
            >
            > I'm reading how more of you separates http of mail, is correct but If
            > you needs the same SSL certificate for more than one domain, and for
            > legal questions you can't include all domains in one certificate, I
            > don't know If postfix has the possibility to create a table domains
            > where you can say " for this domain this certificate". I know is a
            > very special case and not's typical to do, and for this I prefer to
            > comment to this list.
            >
            > If anyone knows how to create this rule, be grateful
            >
            > Thanks
            >
            > On 25/02/2013 10:46, Marko Weber | ZBF wrote:
            >>
            >> The "one" Mailserver, that is doing mailing for N Domains,
            >> only need "one" Certificate.
            >>
            >> Other thing is with "websites", they need each one.
            >> connect multiple ip´s to the server for multiple websites ssl certs.
            >>
            >> but the mailserver only one for himself.
            >>
            >> the other mailserver dont look "what domain" sends the mail, they
            >> look
            >> from where the mail is coming. its coming from your one mailserver.
            >> so the mailserver only needs one certificate, but can be responsible
            >> for multiple domains.
            >>
            >> got it?
            >>
            >> (hope its easy explained)
            >>
            >> marko
            >>
            >>
            >>
            >> Am 2013-02-25 10:33, schrieb marcos gonzalez:
            >>> HI
            >>>
            >>> Im preparing a server with postfix 2.7.1 and now Im with the
            >>> process
            >>> to certificate de connection. I have two domains and normally using
            >>> multipli domains certificate ou can join this, but the propierty of
            >>> domains is different and you can't do that. How resolves this
            >>> problem
            >>> the companies with N domains associated?
            >>>
            >>> Best Regards
            >>
          • Birta Levente
            ... I use multiple certificate on multiple domains with multiple postfix instances :) http://www.postfix.org/MULTI_INSTANCE_README.html
            Message 5 of 16 , Feb 25, 2013
            • 0 Attachment
              On 25/02/2013 12:38, marcos gonzalez wrote:
              > Hi
              >
              > Thanks for the answer.
              >
              > I'm reading how more of you separates http of mail, is correct but If
              > you needs the same SSL certificate for more than one domain, and for
              > legal questions you can't include all domains in one certificate, I
              > don't know If postfix has the possibility to create a table domains
              > where you can say " for this domain this certificate". I know is a
              > very special case and not's typical to do, and for this I prefer to
              > comment to this list.
              >
              > If anyone knows how to create this rule, be grateful
              >

              I use multiple certificate on multiple domains with multiple postfix
              instances :)

              http://www.postfix.org/MULTI_INSTANCE_README.html
            • Reindl Harald
              ... have fun if you are growing up to 100, 200, 300, 500 domains ypur administration overhead will grow dramatically for zero benefit or you have sooner or
              Message 6 of 16 , Feb 25, 2013
              • 0 Attachment
                Am 25.02.2013 21:54, schrieb Birta Levente:
                > On 25/02/2013 12:38, marcos gonzalez wrote:
                >> Hi
                >>
                >> Thanks for the answer.
                >>
                >> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                >> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                >> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                >> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                >>
                >> If anyone knows how to create this rule, be grateful
                >>
                >
                > I use multiple certificate on multiple domains with multiple postfix instances :)
                >
                > http://www.postfix.org/MULTI_INSTANCE_README.html

                have fun if you are growing up to 100, 200, 300, 500 domains

                ypur administration overhead will grow dramatically for zero
                benefit or you have sooner or later to go back to a unified
                servername

                the idiot who was admin befor eme also thought it is cool
                to have "mail.domain.tld" and communicate it for his 5
                domains, now as we are have some hundret of them i am
                happy that i have made the step to unify it to "mail.thelounge.net"
                with ONE certificate and ONE ip-address for keep things simple
              • Birta Levente
                ... Absolutely right. But in my case (and possibly others) it s about 10 domains ... and only 2 have different certificate/IP .... because ...well ... they
                Message 7 of 16 , Feb 25, 2013
                • 0 Attachment
                  On 25/02/2013 22:59, Reindl Harald wrote:
                  >
                  > Am 25.02.2013 21:54, schrieb Birta Levente:
                  >> On 25/02/2013 12:38, marcos gonzalez wrote:
                  >>> Hi
                  >>>
                  >>> Thanks for the answer.
                  >>>
                  >>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                  >>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                  >>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                  >>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                  >>>
                  >>> If anyone knows how to create this rule, be grateful
                  >>>
                  >> I use multiple certificate on multiple domains with multiple postfix instances :)
                  >>
                  >> http://www.postfix.org/MULTI_INSTANCE_README.html
                  > have fun if you are growing up to 100, 200, 300, 500 domains
                  >
                  > ypur administration overhead will grow dramatically for zero
                  > benefit or you have sooner or later to go back to a unified
                  > servername
                  >
                  > the idiot who was admin befor eme also thought it is cool
                  > to have "mail.domain.tld" and communicate it for his 5
                  > domains, now as we are have some hundret of them i am
                  > happy that i have made the step to unify it to "mail.thelounge.net"
                  > with ONE certificate and ONE ip-address for keep things simple
                  >

                  Absolutely right. But in my case (and possibly others) it's about 10
                  domains ... and only 2 have different certificate/IP .... because
                  ...well ... they have ... it's from situation to situation...
                • Reindl Harald
                  ... so setup a vritual machine for them or explain them that it is useless - the argumentation is simple: price let them pay enough to maintain their VN s and
                  Message 8 of 16 , Feb 25, 2013
                  • 0 Attachment
                    Am 25.02.2013 22:39, schrieb Birta Levente:
                    >
                    > On 25/02/2013 22:59, Reindl Harald wrote:
                    >>
                    >> Am 25.02.2013 21:54, schrieb Birta Levente:
                    >>> On 25/02/2013 12:38, marcos gonzalez wrote:
                    >>>> Hi
                    >>>>
                    >>>> Thanks for the answer.
                    >>>>
                    >>>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
                    >>>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
                    >>>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
                    >>>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
                    >>>>
                    >>>> If anyone knows how to create this rule, be grateful
                    >>>>
                    >>> I use multiple certificate on multiple domains with multiple postfix instances :)
                    >>>
                    >>> http://www.postfix.org/MULTI_INSTANCE_README.html
                    >> have fun if you are growing up to 100, 200, 300, 500 domains
                    >>
                    >> ypur administration overhead will grow dramatically for zero
                    >> benefit or you have sooner or later to go back to a unified
                    >> servername
                    >>
                    >> the idiot who was admin befor eme also thought it is cool
                    >> to have "mail.domain.tld" and communicate it for his 5
                    >> domains, now as we are have some hundret of them i am
                    >> happy that i have made the step to unify it to "mail.thelounge.net"
                    >> with ONE certificate and ONE ip-address for keep things simple
                    >>
                    >
                    > Absolutely right. But in my case (and possibly others) it's about 10 domains ... and only 2 have different
                    > certificate/IP .... because ...well ... they have ... it's from situation to situation...

                    so setup a vritual machine for them or explain them
                    that it is useless - the argumentation is simple: price

                    let them pay enough to maintain their VN's and if they
                    do not want to pay, well, give them a setup which works
                    for 100, 500, 1000, 5000 domains perfectly
                  • /dev/rob0
                    ... Rather than putting it in TLS_README, I think a FAQ would be more fitting. I know we used to have a FAQ document, but it has long ago been abandoned. We
                    Message 9 of 16 , Feb 27, 2013
                    • 0 Attachment
                      On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                      > I see negligible benefit from an SNI implementation for Postfix.
                      >
                      > Is it time to add an anti-SNI rationale section to TLS_README? This
                      > would set a bad precedent, there is no limit to the number of
                      > non-features we could document.

                      Rather than putting it in TLS_README, I think a FAQ would be more
                      fitting. I know we used to have a FAQ document, but it has long ago
                      been abandoned. We get a lot of the same questions here, and some
                      ardent Googlers still stumble upon the old faq.html page.

                      Perhaps rather than a DNS_README as you suggested in another thread,
                      that could be worked into a FAQ? I agree, DNS is a vital subject to
                      most MTA administrators, but here too it's not going to cover actual
                      Postfix features, for the most part.
                      --
                      http://rob0.nodns4.us/ -- system administration and consulting
                      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                    • Fernando Maior
                      May be we can put that into the Postfix documentation page, in Specific environments section. Also, may be DNS can be there, both are environments
                      Message 10 of 16 , Mar 3, 2013
                      • 0 Attachment
                        May be we can put that into the Postfix documentation page, in "Specific environments" section. Also, may be DNS can be there, both are "environments" anyway...

                        Just 2 cents...

                        Best regards,
                        ---
                        Fernando Maciel Souto Maior

                        On Wed, Feb 27, 2013 at 6:17 PM, /dev/rob0 <rob0@...> wrote:
                        On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                        > I see negligible benefit from an SNI implementation for Postfix.
                        >
                        > Is it time to add an anti-SNI rationale section to TLS_README? This
                        > would set a bad precedent, there is no limit to the number of
                        > non-features we could document.

                        Rather than putting it in TLS_README, I think a FAQ would be more
                        fitting. I know we used to have a FAQ document, but it has long ago
                        been abandoned. We get a lot of the same questions here, and some
                        ardent Googlers still stumble upon the old faq.html page.

                        Perhaps rather than a DNS_README as you suggested in another thread,
                        that could be worked into a FAQ? I agree, DNS is a vital subject to
                        most MTA administrators, but here too it's not going to cover actual
                        Postfix features, for the most part.
                        --
                          http://rob0.nodns4.us/ -- system administration and consulting
                          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

                      Your message has been successfully submitted and would be delivered to recipients shortly.