Re: postfix and multiple TLS certificates (SNI support?)

Am 2015-12-16 16:26, schrieb Alice Wonder: But with port 25, certificate authorities do not matter, so an admin running the same smtp server on multiple hostnames can generate a new self-signed cert at no cost every time they add a domain that resolves to that IP address. Thus even with

Re: postfix and multiple TLS certificates (SNI support?)

On 12/16/2015 09:06 AM, Michael Storz wrote: Am 2015-12-16 16:26, schrieb Alice Wonder: But with port 25, certificate authorities do not matter, so an admin running the same smtp server on multiple hostnames can generate a new self-signed cert at no cost every time they add a domain that

Re: postfix and multiple TLS certificates (SNI support?)

On 12/16/2015 02:03 AM, Michael Storz wrote: Am 2015-12-15 20:36, schrieb Viktor Dukhovni: On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote: So, we've managed to hold off on offering SNI support for a decade since TLS was integrated into Postfix 2.2. I just wanted to see

Re: postfix and multiple TLS certificates (SNI support?)

Am 2015-12-15 20:36, schrieb Viktor Dukhovni: On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote: So, we've managed to hold off on offering SNI support for a decade since TLS was integrated into Postfix 2.2. I just wanted to see whether anyone still wanted it in Postfix, but

Re: postfix and multiple TLS certificates (SNI support?)

Alice Wonder wrote: > On 12/15/2015 07:40 AM, Michael Storz wrote: >> Sorry for not writing it explicitly. In the case I described, you use >> the domain of the recipient address, because this is the only >> information you can trust (and this domain must be included in the SAN). >> Since you have

Re: postfix and multiple TLS certificates (SNI support?)

Wietse Venema wrote: > Wietse: >> This session has multiple recipients, in different domains that >> have the same MX host. Whose SNI [domain] shall be used? > > Michael Storz: > [Examples that do not use SNI] > > Nice try, but that did not answer the question. > >> On the other side: if you do

Re: postfix and multiple TLS certificates (SNI support?)

On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote: > So, we've managed to hold off on offering SNI support for a decade > since TLS was integrated into Postfix 2.2. I just wanted to see > whether anyone still wanted it in Postfix, but perhaps if they > really did they've moved on

Re: postfix and multiple TLS certificates (SNI support?)

On 12/15/2015 11:34 AM, Michael Ströder wrote: Yes. It's your choice. With DNSSEC I don't have a choice at all. It's a single root key controlled by the entity which was the cause for RFC 7258 (besides the horrible key management practice out in the wild). And frankly I don't trust

Re: postfix and multiple TLS certificates (SNI support?)

Viktor Dukhovni wrote: > So, we've managed to hold off on offering SNI support for a decade > since TLS was integrated into Postfix 2.2. I just wanted to see > whether anyone still wanted it in Postfix, but perhaps if they > really did they've moved on to other solutions. SNI is a prerequisite

Re: postfix and multiple TLS certificates (SNI support?)

The certificate is normally validated against the MX name, not recipient domain. Example: emailservice1.com MX smtp1.example.org emailservice2.com MX smtp1.example.org Certificate is issued to smtp1.example.org Also even if you use SNI, imagine you send a mail to a user at emailservice1 AND

Re: postfix and multiple TLS certificates (SNI support?)

Sebastian Nielsen wrote: > The certificate is normally validated against the MX name, not recipient > domain. Did you read the referenced I-D before replying? https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1 Ciao, Michael. > "Michael Ströder"

Re: postfix and multiple TLS certificates (SNI support?)

en ; postfix-users@postfix.org Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed] Sebastian Nielsen wrote: The certificate is normally validated against the MX name, not recipient domain. Did you read the referenced I-D before replying? https://tools.ietf.org/html/draft-friedl-

Re: postfix and multiple TLS certificates (SNI support?)

esday, December 15, 2015 10:51 AM > To: Sebastian Nielsen ; postfix-users@postfix.org > Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed] > > Sebastian Nielsen wrote: >> The certificate is normally validated against the MX name, not recipient >> dom

Re: postfix and multiple TLS certificates (SNI support?)

Michael Str?der: > Sebastian Nielsen wrote: > > Yes. > > Its just a draft. > > Everything starts with a draft. > > > Which certificate should the server use for the encrypted transaction, even > > if > > we use SNI? > > emailservice1.com or emailservice2.com? > > The recipient domain would be

Re: postfix and multiple TLS certificates (SNI support?)

Viktor Dukhovni: > On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote: > > > So, we've managed to hold off on offering SNI support for a decade > > since TLS was integrated into Postfix 2.2. I just wanted to see > > whether anyone still wanted it in Postfix, but perhaps if they > >

Re: postfix and multiple TLS certificates (SNI support?)

On 12/15/2015 07:40 AM, Michael Storz wrote: Sorry for not writing it explicitly. In the case I described, you use the domain of the recipient address, because this is the only information you can trust (and this domain must be included in the SAN). Since you have more than one recipient

Re: postfix and multiple TLS certificates (SNI support?)

Wietse: > This session has multiple recipients, in different domains that > have the same MX host. Whose SNI [domain] shall be used? Michael Storz: [Examples that do not use SNI] Nice try, but that did not answer the question. > On the other side: if you do not want to use SNI I have no

Re: postfix and multiple TLS certificates (SNI support?)

Am 2015-12-15 12:22, schrieb wie...@porcupine.org: Michael Str?der: Sebastian Nielsen wrote: > Yes. > Its just a draft. Everything starts with a draft. > Which certificate should the server use for the encrypted transaction, even if > we use SNI? > emailservice1.com or emailservice2.com? The

Re: postfix and multiple TLS certificates (SNI support?)

Am 2015-12-11 20:33, schrieb Viktor Dukhovni: On Fri, Dec 11, 2015 at 11:50:40AM -0600, Brian Sebby wrote: other.mail.server:smtp inetn - n - 0 smtpd -o myhostname=other.mail.server -o smtp_tls_cert_file=/path/to/certfile.pem -o

Re: postfix and multiple TLS certificates (SNI support?)

On Tue, Dec 15, 2015 at 10:12:56AM +0100, Michael Ströder wrote: > SNI is a prerequisite for implementing something like [1] if a host is MX for > more than one recipient domain. > > [1] https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs I'll likely end up a coauthor on that draft one

Re: postfix and multiple TLS certificates (SNI support?)

Am 2015-12-15 15:48, schrieb wie...@porcupine.org: Wietse: This session has multiple recipients, in different domains that have the same MX host. Whose SNI [domain] shall be used? Michael Storz: [Examples that do not use SNI] Nice try, but that did not answer the question. On the other

Re: postfix and multiple TLS certificates (SNI support?)

On Mon, Dec 14, 2015 at 06:37:59AM -0500, Wietse Venema wrote: > > Thanks for the moral support. I agree that SNI is not particularly > > compelling for port 25. The strongest arguments for SNI that > > I've seen are for port 587 submission, where there's no MX indirection, > > users' MUAs have

Re: postfix and multiple TLS certificates (SNI support?)

Viktor Dukhovni: > So, we've managed to hold off on offering SNI support for a decade > since TLS was integrated into Postfix 2.2. I just wanted to see > whether anyone still wanted it in Postfix, but perhaps if they > really did they've moved on to other solutions. Would haproxy/nginx be an

Re: postfix and multiple TLS certificates (SNI support?)

--On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema wrote: Viktor Dukhovni: So, we've managed to hold off on offering SNI support for a decade since TLS was integrated into Postfix 2.2. I just wanted to see whether anyone still wanted it in Postfix, but perhaps

Re: postfix and multiple TLS certificates (SNI support?)

On Mon, Dec 14, 2015 at 09:36:33AM -0800, Quanah Gibson-Mount wrote: > Given nginx's complete disregard for RFC's (*) and unwillingness to examine > or fix issues related to the email proxy portion of their product (IMAP, > POP, SMTP), I'd definitely avoid it. I.e., I would not recommend nginx

Re: postfix and multiple TLS certificates (SNI support?)

On Sun, 13 Dec 2015, Alice Wonder wrote: A big negative to Thunderbird autoconfig - it looks for http before https resulting in MITM vulnerability. They say it is because hosting companies like godaddy don't want to have a TLS cert for every e-mail domain. I agree with both :-) They

Re: postfix and multiple TLS certificates (SNI support?)

Wietse Venema: > Quanah Gibson-Mount: > > --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema > > wrote: > > > > > Viktor Dukhovni: > > >> So, we've managed to hold off on offering SNI support for a decade > > >> since TLS was integrated into Postfix 2.2. I just

Re: postfix and multiple TLS certificates (SNI support?)

Quanah Gibson-Mount: > --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema > wrote: > > > Viktor Dukhovni: > >> So, we've managed to hold off on offering SNI support for a decade > >> since TLS was integrated into Postfix 2.2. I just wanted to see > >> whether

Re: postfix and multiple TLS certificates (SNI support?)

--On Monday, December 14, 2015 6:03 PM + Viktor Dukhovni wrote: On Mon, Dec 14, 2015 at 09:36:33AM -0800, Quanah Gibson-Mount wrote: Given nginx's complete disregard for RFC's (*) and unwillingness to examine or fix issues related to the email proxy portion

Re: postfix and multiple TLS certificates (SNI support?)

On Sat, 12 Dec 2015, Viktor Dukhovni wrote: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe that issue solves itself :-) Thanks for the

Re: postfix and multiple TLS certificates (SNI support?)

On 12/13/2015 11:55 AM, Dirk Stöcker wrote: On Sat, 12 Dec 2015, Viktor Dukhovni wrote: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. Simply wait a bit longer and maybe

Re: postfix and multiple TLS certificates (SNI support?)

On Fri, 11 Dec 2015, Viktor Dukhovni wrote: Over the years there have from time to time been requests for server-side SNI support in Postfix, but most users have found workable alternatives, such as above. A key reason that SNI support is not there yet, is that we like to do things right(TM)

Re: postfix and multiple TLS certificates (SNI support?)

Dirk Stöcker wrote on 12/12/2015 13:26: And SMTP has the big advantage, that you can define the name of the host in MX, so the name of the mail server can be independent from the domain of the email address. I use this method. Just one cert to manage/renew and no exotic configuration. KISS

Re: postfix and multiple TLS certificates (SNI support?)

On Sat, Dec 12, 2015 at 06:42:03AM -0800, Alice Wonder wrote: > I do not want SNI to die but IMHO SNI is not for mail servers. On Sat, Dec 12, 2015 at 01:26:06PM +0100, Dirk Stöcker wrote: > And SMTP has the big advantage, that you can define the name of the host in > MX, so the name of the

Re: postfix and multiple TLS certificates (SNI support?)

On 12/12/2015 04:26 AM, Dirk Stöcker wrote: On Fri, 11 Dec 2015, Viktor Dukhovni wrote: Over the years there have from time to time been requests for server-side SNI support in Postfix, but most users have found workable alternatives, such as above. A key reason that SNI support is not

Re: postfix and multiple TLS certificates (SNI support?)

On Fri, Dec 11, 2015 at 11:50:40AM -0600, Brian Sebby wrote: > other.mail.server:smtpinetn - n - 0 > smtpd > -o myhostname=other.mail.server > -o smtp_tls_cert_file=/path/to/certfile.pem > -o smtpd_tls_cert_file=/path/to/certfile.pem >