On Tue, Jan 29, 2013 at 08:43:31AM +0100, Markus Grunwald wrote: > is it possible to use multiple certificates for my virtual mail domains?
http://archives.neohapsis.com/archives/postfix/2013-01/0174.html For Postfix 2.11 (2.10 is almost out the door, so it is too late for this year) I've layed the groundwork for an RFC 6698 (DANE TLSA) implementation, and expect that the RFC will be fully supported by the time 2.11 is released early in 2014. https://tools.ietf.org/html/rfc6698 Assuming DNSSEC is adopted widely (and perhaps DANE is a real incentive) this will make key management for SMTP substantially more scalable, and perhaps some day the majority of SMTP servers will have verifiable TLS certs verified by a public key fingerprint in DNS. As easy as: $ openssl x509 -in /usr/pkg/etc/mail-cert.pem -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 (stdin)= 89ef5b500559318251538fb1da0bd309d38bd021eb0311a3227be7b331b05bac DNS: _25._tcp.smtp.example.com. IN TLSA ( 3 1 1 89ef5b500559318251538fb1da0bd309 d38bd021eb0311a3227be7b331b05bac ) (plus appropriate RRSIG records). And you get CA-free certificates that (once other MTAs implement DANE) everyone can verify. -- Viktor.
