One certificate per port

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

One certificate per port

G. Schlisio
Hi all,

I wonder if it is possible to have one cert per port postfix is serving
on, eg one for 25 and one for 587.

Background of this:
for user interaction (mainly on port 587) I would like to use my signed
letsencrypt cert which changes fairly often.
For interaction of servers I would like to use DANE, and so a long-lifed
self-signed certificate would be beneficial to not break during
automated renewal and avoid frequent rollovers.

I hope my assumptions are correct.
Feedback much appreciated.

Thank you in advance
Georg
Reply | Threaded
Open this post in threaded view
|

Re: One certificate per port

Viktor Dukhovni

> On Apr 6, 2017, at 5:02 PM, G. Schlisio <[hidden email]> wrote:
>
> I wonder if it is possible to have one cert per port postfix is serving
> on, eg one for 25 and one for 587.

Yes.

   master.cf:
     submission inet ... smtpd
       -o smtpd_tls_cert_file=$mua_tls_cert_file
       -o smtpd_tls_key_file=$mua_tls_key_file

   main.cf:
        # Inbound MX certificate and key in a single file
        smtpd_tls_cert_file = ...

        # Submission certificate and key in a single file
        mua_tls_cert_file = ...
        mua_tls_key_file = $mua_tls_cert_file

>
> Background of this:
> for user interaction (mainly on port 587) I would like to use my signed
> letsencrypt cert which changes fairly often.
> For interaction of servers I would like to use DANE, and so a long-lifed
> self-signed certificate would be beneficial to not break during
> automated renewal and avoid frequent rollovers.

It is also possible to avoid DANE TLSA changes while rolling over
Let's Encrypt keys:

   http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
   https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
   https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
   https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: One certificate per port

G. Schlisio
>
>> On Apr 6, 2017, at 5:02 PM, G. Schlisio <[hidden email]> wrote:
>>
>> I wonder if it is possible to have one cert per port postfix is serving
>> on, eg one for 25 and one for 587.
>
> Yes.
>
>    master.cf:
>      submission inet ... smtpd
>        -o smtpd_tls_cert_file=$mua_tls_cert_file
>        -o smtpd_tls_key_file=$mua_tls_key_file
>
>    main.cf:
> # Inbound MX certificate and key in a single file
> smtpd_tls_cert_file = ...
>
> # Submission certificate and key in a single file
> mua_tls_cert_file = ...
> mua_tls_key_file = $mua_tls_cert_file
>
>>
>> Background of this:
>> for user interaction (mainly on port 587) I would like to use my signed
>> letsencrypt cert which changes fairly often.
>> For interaction of servers I would like to use DANE, and so a long-lifed
>> self-signed certificate would be beneficial to not break during
>> automated renewal and avoid frequent rollovers.
>
> It is also possible to avoid DANE TLSA changes while rolling over
> Let's Encrypt keys:
>
>    http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
>    https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
>    https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
>    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>

thank you for your hints and sorry for the late followup. busy and stuff.
thank you for your suggestions, I was aware of the csr-option but wanted
to avoid this, since it does not well automate with certbot.

I came up with another idea, which is pinning the intermediate
certificate with a 2 1 1 TLSA entry.
Even though this is not totally correct (2 means private CA, which is
not true in this case) it seemed to work.
Do you see any issues with doing this?
Thanks in advance.
Georg
Reply | Threaded
Open this post in threaded view
|

Re: One certificate per port

Viktor Dukhovni

> On Apr 25, 2017, at 4:59 PM, G. Schlisio <[hidden email]> wrote:
>
>> It is also possible to avoid DANE TLSA changes while rolling over
>> Let's Encrypt keys:
>>
>>   http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
>>   https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
>>   https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
>>   https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
>>
>
> Thank you for your hints and sorry for the late followup. busy and stuff.
> thank you for your suggestions, I was aware of the csr-option but wanted
> to avoid this, since it does not well automate with certbot.

Sine "--csr" is a certbot option I am surprised to hear you say that
"it does not automate well".  My expectation is that this is fairly
easy to automate.  Just generate the CSR from a fixed private key,
and use it instead of having certbot generate a new key and the
corresponding CSR.  Perhaps you need help running "openssl req"
in non-interactive batch scripts?

> I came up with another idea, which is pinning the intermediate
> certificate with a 2 1 1 TLSA entry.

That's exactly what I recommend to LE users.

> Even though this is not totally correct (2 means private CA, which is
> not true in this case) it seemed to work.

Actually it is completely correct.  Usage DANE-TA(2) just lifts the
requirement of pre-existing client trust of the designated CA.  It
is completely valid for the CA in question to also be a public CA
trusted by some clients.

> Do you see any issues with doing this?

None, provided you trust Let's Encrypt to be your CA and to not
issue certificates for your domain to the wrong party.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: One certificate per port

G. Schlisio
>> Thank you for your hints and sorry for the late followup. busy and stuff.
>> thank you for your suggestions, I was aware of the csr-option but wanted
>> to avoid this, since it does not well automate with certbot.
>
> Sine "--csr" is a certbot option I am surprised to hear you say that
> "it does not automate well".  My expectation is that this is fairly
> easy to automate.  Just generate the CSR from a fixed private key,
> and use it instead of having certbot generate a new key and the
> corresponding CSR.  Perhaps you need help running "openssl req"
> in non-interactive batch scripts?

Yes you are righ, it should work. Maybe some tweaks needed to not use
the same csr for all domains (just needed for the email handling
domain), but i like the other option better.

>> I came up with another idea, which is pinning the intermediate
>> certificate with a 2 1 1 TLSA entry.
>
> That's exactly what I recommend to LE users.
>
>> Even though this is not totally correct (2 means private CA, which is
>> not true in this case) it seemed to work.
>
> Actually it is completely correct.  Usage DANE-TA(2) just lifts the
> requirement of pre-existing client trust of the designated CA.  It
> is completely valid for the CA in question to also be a public CA
> trusted by some clients.
>
>> Do you see any issues with doing this?
>
> None, provided you trust Let's Encrypt to be your CA and to not
> issue certificates for your domain to the wrong party.
>

thanks for your fast reply, this list makes postfix even more valuable
than it already is.

best
georg