SSL Certificates per domain
in [Postfix]
|
From: =?ISO-8859-1?Q?Eduardo_J=FAnior?= on 1 Jun 2010 10:11 Hi, all I'm blocking the communication from MUA to MTA from port 25/tcp, doing that only through from ports 587/tcp and 465/tcp But my box Postfix provides mail services to many domains and I created a only SSL certificate with the name server as Common Name. And I get many warnings because the Common Name in the certificate doesn't match the FQDN of the SMTP server configured on mail clients (outlook, thunderbird, etc) For example: Common Name: myserver.domain.com MX for domain1: smtp.domain1.com MX for domain2: smtp.domain2.com Then, how i configure SSL Certificates per domain on Postfix? References? Thanks, []'s -- Eduardo Júnior GNU/Linux user #423272 :wq
From: Wietse Venema on 1 Jun 2010 10:20 Eduardo J�nior: > Hi, all > > > I'm blocking the communication from MUA to MTA from port 25/tcp, > doing that only through from ports 587/tcp and 465/tcp > > > But my box Postfix provides mail services to many domains and I created > a only SSL certificate with the name server as Common Name. > > > And I get many warnings because the Common Name in the certificate doesn't match > the FQDN of the SMTP server configured on mail clients (outlook, > thunderbird, etc) > > For example: > > Common Name: myserver.domain.com > MX for domain1: smtp.domain1.com > MX for domain2: smtp.domain2.com > > Then, how i configure SSL Certificates per domain on Postfix? > References? How would Postfix know what certificate to use? Hint: SMTP is not HTTP. Wietse
From: Victor Duchovni on 1 Jun 2010 11:00 On Tue, Jun 01, 2010 at 10:20:56AM -0400, Wietse Venema wrote: > > Common Name: myserver.domain.com > > MX for domain1: smtp.domain1.com > > MX for domain2: smtp.domain2.com > > > > Then, how i configure SSL Certificates per domain on Postfix? > > References? > > How would Postfix know what certificate to use? > Hint: SMTP is not HTTP. Now that OpenSSL 1.0 is out, and has "always on" support for TLSv1 extensions, I may find some time to add SNI support to Postfix. This creates significant additional complexity in the SMTP server SSL state management, and with most users on 0.9.8 or even 0.9.7, it has not yet been a priority. Even with SNI support, most SMTP clients will not make use of SNI, so it will take a long time before SMTP STARTTLS servers can expect to support multiple certificates for most clients. -- Viktor.
From: "Martin Strand" on 1 Jun 2010 10:32 On Tue, 01 Jun 2010 16:20:56 +0200, Wietse Venema <wietse(a)porcupine.org> wrote: > Eduardo Júnior: >> >> But my box Postfix provides mail services to many domains and I created >> a only SSL certificate with the name server as Common Name. >> >> >> And I get many warnings because the Common Name in the certificate >> doesn't match >> the FQDN of the SMTP server configured on mail clients (outlook, >> thunderbird, etc) >> >> For example: >> >> Common Name: myserver.domain.com >> MX for domain1: smtp.domain1.com >> MX for domain2: smtp.domain2.com >> >> Then, how i configure SSL Certificates per domain on Postfix? >> References? > > How would Postfix know what certificate to use? > Hint: SMTP is not HTTP. > > Wietse Even HTTP wouldn't be able to handle this since it doesn't know the hostname until after the SSL handshake when the request has been sent. If clients support it, I suppose you could add SANs (subject alternative names) to the certificate. It's a list of "alternative" hostnames covered by the same certificate: http://en.wikipedia.org/wiki/Subject_Alternative_Name
From: Terry Inzauro on 1 Jun 2010 13:23 On 06/01/2010 10:00 AM, Victor Duchovni wrote: > On Tue, Jun 01, 2010 at 10:20:56AM -0400, Wietse Venema wrote: > >>> Common Name: myserver.domain.com >>> MX for domain1: smtp.domain1.com >>> MX for domain2: smtp.domain2.com >>> >>> Then, how i configure SSL Certificates per domain on Postfix? >>> References? >> >> How would Postfix know what certificate to use? >> Hint: SMTP is not HTTP. > > Now that OpenSSL 1.0 is out, and has "always on" support for TLSv1 > extensions, I may find some time to add SNI support to Postfix. This > creates significant additional complexity in the SMTP server SSL > state management, and with most users on 0.9.8 or even 0.9.7, it > has not yet been a priority. > > Even with SNI support, most SMTP clients will not make use of SNI, so > it will take a long time before SMTP STARTTLS servers can expect to > support multiple certificates for most clients. > Could this be a case where it makes sense to run multiple instances of postfix which bind to different IP's and are each configured with unique certs? kind regards, _Terry
|
Next
|
Last
Pages: 1 2 Prev: probleme with dk dkim and dlv for miltiple domain Next: Timed out RCPT TO |