Loading ...
Sorry, an error occurred while loading the content.

Re: is possible to use different SSL certificates for different domains?

Expand Messages
  • Marko Weber | ZBF
    in other words NO. in reality outside you dont do this. the MAILSEERVER authenticates his self with his Cert/key/CA. NOT the Domains self he is responsible
    Message 1 of 16 , Feb 25 9:54 AM
    • 0 Attachment
      in other words NO.
      in reality outside you dont do this.

      the MAILSEERVER authenticates his self with his Cert/key/CA.
      NOT the Domains self he is responsible for.

      So it doesnt matter, how many domains the mailserver is responsible
      for.
      You need only one Cert/Key for the Mailserver.

      On Https its another thingie, there the clients are anonmyous.

      The Mailserver dont connect to another server and wants to upload there
      an mail and says "hello for DOMAIN tricky.com i wil upload a mail, and
      this is the cert/key/ca for tricky.com"

      The Mailserver connects to other Mailserver and says, hello I AM
      MAILSERVER SUPERMOFO.net , and i will upload you a mail from tricky.com.
      Heres the cert/key/CA for SUPERMOFO.net.

      do you understand now?

      u tell via DNS WHAT mailsever is responsible for the mailexcange for
      tricky.com

      thats it.

      marko

      a very great howto/guide that made many things clear for me the last
      days was: http://www.postfix.org/TLS_README.html

      please, forget your mumpitz with hundreds of certs for domains on a
      mailserver.
      You DONT need it.


      Am 2013-02-25 11:38, schrieb marcos gonzalez:
      > Hi
      >
      > Thanks for the answer.
      >
      > I'm reading how more of you separates http of mail, is correct but If
      > you needs the same SSL certificate for more than one domain, and for
      > legal questions you can't include all domains in one certificate, I
      > don't know If postfix has the possibility to create a table domains
      > where you can say " for this domain this certificate". I know is a
      > very special case and not's typical to do, and for this I prefer to
      > comment to this list.
      >
      > If anyone knows how to create this rule, be grateful
      >
      > Thanks
      >
      > On 25/02/2013 10:46, Marko Weber | ZBF wrote:
      >>
      >> The "one" Mailserver, that is doing mailing for N Domains,
      >> only need "one" Certificate.
      >>
      >> Other thing is with "websites", they need each one.
      >> connect multiple ip´s to the server for multiple websites ssl certs.
      >>
      >> but the mailserver only one for himself.
      >>
      >> the other mailserver dont look "what domain" sends the mail, they
      >> look
      >> from where the mail is coming. its coming from your one mailserver.
      >> so the mailserver only needs one certificate, but can be responsible
      >> for multiple domains.
      >>
      >> got it?
      >>
      >> (hope its easy explained)
      >>
      >> marko
      >>
      >>
      >>
      >> Am 2013-02-25 10:33, schrieb marcos gonzalez:
      >>> HI
      >>>
      >>> Im preparing a server with postfix 2.7.1 and now Im with the
      >>> process
      >>> to certificate de connection. I have two domains and normally using
      >>> multipli domains certificate ou can join this, but the propierty of
      >>> domains is different and you can't do that. How resolves this
      >>> problem
      >>> the companies with N domains associated?
      >>>
      >>> Best Regards
      >>
    • Birta Levente
      ... I use multiple certificate on multiple domains with multiple postfix instances :) http://www.postfix.org/MULTI_INSTANCE_README.html
      Message 2 of 16 , Feb 25 12:54 PM
      • 0 Attachment
        On 25/02/2013 12:38, marcos gonzalez wrote:
        > Hi
        >
        > Thanks for the answer.
        >
        > I'm reading how more of you separates http of mail, is correct but If
        > you needs the same SSL certificate for more than one domain, and for
        > legal questions you can't include all domains in one certificate, I
        > don't know If postfix has the possibility to create a table domains
        > where you can say " for this domain this certificate". I know is a
        > very special case and not's typical to do, and for this I prefer to
        > comment to this list.
        >
        > If anyone knows how to create this rule, be grateful
        >

        I use multiple certificate on multiple domains with multiple postfix
        instances :)

        http://www.postfix.org/MULTI_INSTANCE_README.html
      • Reindl Harald
        ... have fun if you are growing up to 100, 200, 300, 500 domains ypur administration overhead will grow dramatically for zero benefit or you have sooner or
        Message 3 of 16 , Feb 25 12:59 PM
        • 0 Attachment
          Am 25.02.2013 21:54, schrieb Birta Levente:
          > On 25/02/2013 12:38, marcos gonzalez wrote:
          >> Hi
          >>
          >> Thanks for the answer.
          >>
          >> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
          >> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
          >> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
          >> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
          >>
          >> If anyone knows how to create this rule, be grateful
          >>
          >
          > I use multiple certificate on multiple domains with multiple postfix instances :)
          >
          > http://www.postfix.org/MULTI_INSTANCE_README.html

          have fun if you are growing up to 100, 200, 300, 500 domains

          ypur administration overhead will grow dramatically for zero
          benefit or you have sooner or later to go back to a unified
          servername

          the idiot who was admin befor eme also thought it is cool
          to have "mail.domain.tld" and communicate it for his 5
          domains, now as we are have some hundret of them i am
          happy that i have made the step to unify it to "mail.thelounge.net"
          with ONE certificate and ONE ip-address for keep things simple
        • Birta Levente
          ... Absolutely right. But in my case (and possibly others) it s about 10 domains ... and only 2 have different certificate/IP .... because ...well ... they
          Message 4 of 16 , Feb 25 1:39 PM
          • 0 Attachment
            On 25/02/2013 22:59, Reindl Harald wrote:
            >
            > Am 25.02.2013 21:54, schrieb Birta Levente:
            >> On 25/02/2013 12:38, marcos gonzalez wrote:
            >>> Hi
            >>>
            >>> Thanks for the answer.
            >>>
            >>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
            >>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
            >>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
            >>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
            >>>
            >>> If anyone knows how to create this rule, be grateful
            >>>
            >> I use multiple certificate on multiple domains with multiple postfix instances :)
            >>
            >> http://www.postfix.org/MULTI_INSTANCE_README.html
            > have fun if you are growing up to 100, 200, 300, 500 domains
            >
            > ypur administration overhead will grow dramatically for zero
            > benefit or you have sooner or later to go back to a unified
            > servername
            >
            > the idiot who was admin befor eme also thought it is cool
            > to have "mail.domain.tld" and communicate it for his 5
            > domains, now as we are have some hundret of them i am
            > happy that i have made the step to unify it to "mail.thelounge.net"
            > with ONE certificate and ONE ip-address for keep things simple
            >

            Absolutely right. But in my case (and possibly others) it's about 10
            domains ... and only 2 have different certificate/IP .... because
            ...well ... they have ... it's from situation to situation...
          • Reindl Harald
            ... so setup a vritual machine for them or explain them that it is useless - the argumentation is simple: price let them pay enough to maintain their VN s and
            Message 5 of 16 , Feb 25 1:47 PM
            • 0 Attachment
              Am 25.02.2013 22:39, schrieb Birta Levente:
              >
              > On 25/02/2013 22:59, Reindl Harald wrote:
              >>
              >> Am 25.02.2013 21:54, schrieb Birta Levente:
              >>> On 25/02/2013 12:38, marcos gonzalez wrote:
              >>>> Hi
              >>>>
              >>>> Thanks for the answer.
              >>>>
              >>>> I'm reading how more of you separates http of mail, is correct but If you needs the same SSL certificate for more
              >>>> than one domain, and for legal questions you can't include all domains in one certificate, I don't know If
              >>>> postfix has the possibility to create a table domains where you can say " for this domain this certificate". I
              >>>> know is a very special case and not's typical to do, and for this I prefer to comment to this list.
              >>>>
              >>>> If anyone knows how to create this rule, be grateful
              >>>>
              >>> I use multiple certificate on multiple domains with multiple postfix instances :)
              >>>
              >>> http://www.postfix.org/MULTI_INSTANCE_README.html
              >> have fun if you are growing up to 100, 200, 300, 500 domains
              >>
              >> ypur administration overhead will grow dramatically for zero
              >> benefit or you have sooner or later to go back to a unified
              >> servername
              >>
              >> the idiot who was admin befor eme also thought it is cool
              >> to have "mail.domain.tld" and communicate it for his 5
              >> domains, now as we are have some hundret of them i am
              >> happy that i have made the step to unify it to "mail.thelounge.net"
              >> with ONE certificate and ONE ip-address for keep things simple
              >>
              >
              > Absolutely right. But in my case (and possibly others) it's about 10 domains ... and only 2 have different
              > certificate/IP .... because ...well ... they have ... it's from situation to situation...

              so setup a vritual machine for them or explain them
              that it is useless - the argumentation is simple: price

              let them pay enough to maintain their VN's and if they
              do not want to pay, well, give them a setup which works
              for 100, 500, 1000, 5000 domains perfectly
            • /dev/rob0
              ... Rather than putting it in TLS_README, I think a FAQ would be more fitting. I know we used to have a FAQ document, but it has long ago been abandoned. We
              Message 6 of 16 , Feb 27 1:17 PM
              • 0 Attachment
                On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                > I see negligible benefit from an SNI implementation for Postfix.
                >
                > Is it time to add an anti-SNI rationale section to TLS_README? This
                > would set a bad precedent, there is no limit to the number of
                > non-features we could document.

                Rather than putting it in TLS_README, I think a FAQ would be more
                fitting. I know we used to have a FAQ document, but it has long ago
                been abandoned. We get a lot of the same questions here, and some
                ardent Googlers still stumble upon the old faq.html page.

                Perhaps rather than a DNS_README as you suggested in another thread,
                that could be worked into a FAQ? I agree, DNS is a vital subject to
                most MTA administrators, but here too it's not going to cover actual
                Postfix features, for the most part.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              • Fernando Maior
                May be we can put that into the Postfix documentation page, in Specific environments section. Also, may be DNS can be there, both are environments
                Message 7 of 16 , Mar 3, 2013
                • 0 Attachment
                  May be we can put that into the Postfix documentation page, in "Specific environments" section. Also, may be DNS can be there, both are "environments" anyway...

                  Just 2 cents...

                  Best regards,
                  ---
                  Fernando Maciel Souto Maior

                  On Wed, Feb 27, 2013 at 6:17 PM, /dev/rob0 <rob0@...> wrote:
                  On Mon, Feb 25, 2013 at 04:59:37PM +0000, Viktor Dukhovni wrote:
                  > I see negligible benefit from an SNI implementation for Postfix.
                  >
                  > Is it time to add an anti-SNI rationale section to TLS_README? This
                  > would set a bad precedent, there is no limit to the number of
                  > non-features we could document.

                  Rather than putting it in TLS_README, I think a FAQ would be more
                  fitting. I know we used to have a FAQ document, but it has long ago
                  been abandoned. We get a lot of the same questions here, and some
                  ardent Googlers still stumble upon the old faq.html page.

                  Perhaps rather than a DNS_README as you suggested in another thread,
                  that could be worked into a FAQ? I agree, DNS is a vital subject to
                  most MTA administrators, but here too it's not going to cover actual
                  Postfix features, for the most part.
                  --
                    http://rob0.nodns4.us/ -- system administration and consulting
                    Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

                Your message has been successfully submitted and would be delivered to recipients shortly.