Re: Opensmtpd with multiple certificates

2017-05-15 Thread Mik J 
Hello Bruno, Edgar,
Thank you for sharing
You wrote domain1.com and domain2.com but you don't use them there afterpki 
domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
 pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
 pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
 pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
 listen on  hostname  port 25 tls
Also, could you repeat what is , a table of IP addresses ?
Could you post your complete configuration because I don't understand it right 
now
 

Le Dimanche 14 mai 2017 16h16, Bruno Pagani  a 
écrit :
 

  Le 14/05/2017 à 15:45, Edgar Pettijohn a écrit :
  
 
 On 05/14/17 07:20, Bruno Pagani wrote:
 
 
Le 14/05/2017 à 09:59, Mik J a écrit :
  
  Thank you Edgar, You wrote multiple IP adresses. Does it mean that 1 IP 
address = 1 certificate ? Can't be do 1 IP address = x certificates ?
   
 
 No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf:
 
 pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
 pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
 pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
 pki domain2.com key "/etc/smtpd/tls/domain2.com.key"
 
 listen on  hostname  port 25 tls
 
 The hostname part is only necessary if you want to advertise a specific 
hostname when contacted without SNI. The important thing is to not specify a 
pki.
 
 Regards,
 Bruno
 I think I used two because the  table is a mapping from an ip to a 
name.  I'll have to give this a try.  
 
 It’s a table if you use the hostnameS parameter. But you’re not forced to. It 
helps if you’re facing servers without SNI. But I don’t expect any such server 
to be compliant with modern mail rules (SPF,DKIM…) anyway, or even to check the 
certificate/support non-broken crypto.
 
 Bruno

Re: Opensmtpd with multiple certificates

2017-05-14 Thread Edgar Pettijohn 



On 05/14/17 07:20, Bruno Pagani wrote:


Le 14/05/2017 à 09:59, Mik J a écrit :


Thank you Edgar,
You wrote multiple IP adresses. Does it mean that 1 IP address = 1 
certificate ?

Can't be do 1 IP address = x certificates ?


No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf:

pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"

listen on  hostname  port 25 tls

The hostname part is only necessary if you want to advertise a 
specific hostname when contacted without SNI. The important thing is 
to not specify a pki.


Regards,
Bruno
I think I used two because the  table is a mapping from an ip 
to a name.  I'll have to give this a try.

Re: Opensmtpd with multiple certificates

2017-05-14 Thread Bruno Pagani 
Le 14/05/2017 à 09:59, Mik J a écrit :

> Thank you Edgar,
> You wrote multiple IP adresses. Does it mean that 1 IP address = 1
> certificate ?
> Can't be do 1 IP address = x certificates ?

No, you can do 1 IP = x certs, thanks to SNI. I do that, my conf:

pki domain1.com certificate "/etc/smtpd/tls/domain1.com.crt"
pki domain1.com key "/etc/smtpd/tls/domain1.com.key"
pki domain2.com certificate "/etc/smtpd/tls/domain2.com.crt"
pki domain2.com key "/etc/smtpd/tls/domain2.com.key"

listen on  hostname  port 25 tls

The hostname part is only necessary if you want to advertise a specific
hostname when contacted without SNI. The important thing is to not
specify a pki.

Regards,
Bruno


signature.asc
Description: OpenPGP digital signature

Re: Opensmtpd with multiple certificates

2017-05-13 Thread Edgar Pettijohn 



On 05/13/17 17:55, Mik J wrote:

Hello,

I would like to know if it's possible to use multiple 
certificates/keys with opensmtpd


domain.com has MX mx.domain.com
acme.com has MX mx.acme.com

When a clients (remote mta such as gmail) connects to my server, my 
opensmtpd should send the according certificate.

Something like virtual hosts with httpd

Otherwise, what should I do when my opensmtpd server hosts multiple 
domaines with multiple mx records.


Thank you


domain1 = "192.168.1.1"
domain2 = "192.168.1.2"

pki domain1.com certificate "/etc/ssl/domain1.com.crt"
pki domain1.com key "/etc/ssl/private/domain1.com.key"

pki domain2.com certificate "/etc/ssl/domain2.com.crt"
pki domain2.com key "/etc/ssl/private/domain2.com.key"

listen on $domain1 tls pki domain1.com etc, etc...
listen on $domain2 tls pki domain2.com etc, etc...

Hope this helps.

Opensmtpd with multiple certificates

2017-05-13 Thread Mik J 
Hello,
I would like to know if it's possible to use multiple certificates/keys with 
opensmtpd
domain.com has MX mx.domain.comacme.com has MX mx.acme.com
When a clients (remote mta such as gmail) connects to my server, my opensmtpd 
should send the according certificate.Something like virtual hosts with httpd
Otherwise, what should I do when my opensmtpd server hosts multiple domaines 
with multiple mx records.
Thank you