From: =?ISO-8859-1?Q?Eduardo_J=FAnior?= on
Hi, all


I'm blocking the communication from MUA to MTA from port 25/tcp,
doing that only through from ports 587/tcp and 465/tcp


But my box Postfix provides mail services to many domains and I created
a only SSL certificate with the name server as Common Name.


And I get many warnings because the Common Name in the certificate doesn't match
the FQDN of the SMTP server configured on mail clients (outlook,
thunderbird, etc)

For example:

Common Name: myserver.domain.com
MX for domain1: smtp.domain1.com
MX for domain2: smtp.domain2.com


Then, how i configure SSL Certificates per domain on Postfix?
References?

Thanks,

[]'s

--
Eduardo Júnior
GNU/Linux user #423272

:wq

From: Wietse Venema on
Eduardo J�nior:
> Hi, all
>
>
> I'm blocking the communication from MUA to MTA from port 25/tcp,
> doing that only through from ports 587/tcp and 465/tcp
>
>
> But my box Postfix provides mail services to many domains and I created
> a only SSL certificate with the name server as Common Name.
>
>
> And I get many warnings because the Common Name in the certificate doesn't match
> the FQDN of the SMTP server configured on mail clients (outlook,
> thunderbird, etc)
>
> For example:
>
> Common Name: myserver.domain.com
> MX for domain1: smtp.domain1.com
> MX for domain2: smtp.domain2.com
>
> Then, how i configure SSL Certificates per domain on Postfix?
> References?

How would Postfix know what certificate to use?
Hint: SMTP is not HTTP.

Wietse

From: Victor Duchovni on
On Tue, Jun 01, 2010 at 10:20:56AM -0400, Wietse Venema wrote:

> > Common Name: myserver.domain.com
> > MX for domain1: smtp.domain1.com
> > MX for domain2: smtp.domain2.com
> >
> > Then, how i configure SSL Certificates per domain on Postfix?
> > References?
>
> How would Postfix know what certificate to use?
> Hint: SMTP is not HTTP.

Now that OpenSSL 1.0 is out, and has "always on" support for TLSv1
extensions, I may find some time to add SNI support to Postfix. This
creates significant additional complexity in the SMTP server SSL
state management, and with most users on 0.9.8 or even 0.9.7, it
has not yet been a priority.

Even with SNI support, most SMTP clients will not make use of SNI, so
it will take a long time before SMTP STARTTLS servers can expect to
support multiple certificates for most clients.

--
Viktor.

From: "Martin Strand" on
On Tue, 01 Jun 2010 16:20:56 +0200, Wietse Venema <wietse(a)porcupine.org>
wrote:

> Eduardo Júnior:
>>
>> But my box Postfix provides mail services to many domains and I created
>> a only SSL certificate with the name server as Common Name.
>>
>>
>> And I get many warnings because the Common Name in the certificate
>> doesn't match
>> the FQDN of the SMTP server configured on mail clients (outlook,
>> thunderbird, etc)
>>
>> For example:
>>
>> Common Name: myserver.domain.com
>> MX for domain1: smtp.domain1.com
>> MX for domain2: smtp.domain2.com
>>
>> Then, how i configure SSL Certificates per domain on Postfix?
>> References?
>
> How would Postfix know what certificate to use?
> Hint: SMTP is not HTTP.
>
> Wietse


Even HTTP wouldn't be able to handle this since it doesn't know the
hostname until after the SSL handshake when the request has been sent.

If clients support it, I suppose you could add SANs (subject alternative
names) to the certificate. It's a list of "alternative" hostnames covered
by the same certificate:
http://en.wikipedia.org/wiki/Subject_Alternative_Name

From: Terry Inzauro on
On 06/01/2010 10:00 AM, Victor Duchovni wrote:
> On Tue, Jun 01, 2010 at 10:20:56AM -0400, Wietse Venema wrote:
>
>>> Common Name: myserver.domain.com
>>> MX for domain1: smtp.domain1.com
>>> MX for domain2: smtp.domain2.com
>>>
>>> Then, how i configure SSL Certificates per domain on Postfix?
>>> References?
>>
>> How would Postfix know what certificate to use?
>> Hint: SMTP is not HTTP.
>
> Now that OpenSSL 1.0 is out, and has "always on" support for TLSv1
> extensions, I may find some time to add SNI support to Postfix. This
> creates significant additional complexity in the SMTP server SSL
> state management, and with most users on 0.9.8 or even 0.9.7, it
> has not yet been a priority.
>
> Even with SNI support, most SMTP clients will not make use of SNI, so
> it will take a long time before SMTP STARTTLS servers can expect to
> support multiple certificates for most clients.
>

Could this be a case where it makes sense to run multiple instances of postfix which bind to different IP's and are each
configured with unique certs?


kind regards,

_Terry