Re: Using TLS for certain domains

Fri, 07 Jun 2013 20:18:26 -0700 

On 08/06/13 05:29, Noel Jones wrote:

On 6/7/2013 1:40 PM, polloxx wrote:

Dear list,

We need to implement TLS for one of our customers using our Postfix
infrastructure (serving multiple domains) for inbound mail. The
final delivery for that domain is a Exchange server, but we have a
anti-virus server in front of that Exchange:  internet ->
postfix-relay -> AV-filter -> Exchange.

So we need to enable TLS at out postfix-relay. Lets say our server
is called server.ourdomain.tld, and the customerdomain is
customerdomain.tld.
Do we need a cert for server.ourdomain.tld, or for customerdomain.tld?


First read http://www.postfix.org/TLS_README.html
http://www.postfix.org/TLS_README.html#server_vrfy_client

As a general rule, MTAs do opportunistic anonymous TLS, meaning that
TLS is automatically used if both sides support it, but the identity
of neither the sender nor receiver is checked. This is sufficient to
prevent casual eavesdropping or packet snooping, and works fine with
a self-signed certificate. A purchased certificate provides no
additional security in this situation.

If you have end-users connecting directly to your postfix box,
either to submit mail (postfix as an MSA), or to retrieve mail (via
IMAP or POP server software on the same box), a purchased
certificate is helpful so the end-users don't get various "untrusted
server" errors in their desktop mail software.  For this use, a
low-cost certificate (godaddy, rapidssl, etc.) provides the same
level of encryption as a high-dollar certificate (verisign, etc.).

If you need to verify who you're talking to (secure channel), please
see:
http://www.postfix.org/TLS_README.html#server_vrfy_client
http://www.postfix.org/TLS_README.html#client_tls_secure
This does have some limitations, described in the referenced docs.



Can we add multiple domains using TLS in the future?


For opportunistic TLS, there is noting more to do; all servers and
clients that support TLS will automatically use TLS. For
secure-channel TLS, there is some manual configuration for each
domain you wish to support.





Is this possible?
Can you point me to some good how-to?


For the general use case, just enable TLS as described in
http://www.postfix.org/TLS_README.html#quick-start
then set both smtp_tls_security_level and smtpd_tls_security_level
to "may" and TLS will just start working.



   -- Noel Jones
Its not true that there is no benefit using a SSL certificate from a CA. Some MTA's will reject connecting to a remote host if it cannot validate its security credentials from a CA.

Reply via email to