Postfix and Multiple IP's and Certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix and Multiple IP's and Certificates

KitchM
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

Viktor Dukhovni
On Mon, Aug 04, 2014 at 11:00:18AM -0400, Tech Support Department wrote:

> Can Postfix handle multiple IP addresses with individual certificates
> without having to start multiple instances of Postfix?

In master(5).cf each smtpd(8) service (bound to a particular IP
address) can be configured with various per-service parameter
overrides.  For example:

master.cf:
    192.0.2.1  inet  n       -       n       -       -       smtpd
      -o smtpd_tls_cert_file=${cert_192_0_2_1}
    192.0.2.2  inet  n       -       n       -       -       smtpd
      -o smtpd_tls_cert_file=${cert_192_0_2_2}

main.cf:
    cert_192_0_2_1 = ${config_directory}/192.0.2.1.pem
    cert_192_0_2_2 = ${config_directory}/192.0.2.2.pem

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

KitchM
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

Viktor Dukhovni
On Mon, Aug 04, 2014 at 04:35:48PM -0400, Tech Support Department wrote:

> I was told that "The servers hostname and domain name will appear in all the
> incoming and outgoing email headers." Why wouldn't this separation of IP
> addresses and certificates fix that, and is there any way to solve that part
> of my privacy problem?

If you also override "myhostname" in the per-service master(5).cf
entries, the inbound "220 " banner and EHLO name will also reflect
the server "personality".  However, this is generally a waste of
time, nobody cares what the server's banner or EHLO name says.

And there is still only one queue-manager per Postfix instance and
one pool of delivery agents per transport.  Thus outbound mail will
still leak the system's real identity.


> >master.cf:
> >     192.0.2.1  inet  n       -       n       -       -       smtpd
> >       -o smtpd_tls_cert_file=${cert_192_0_2_1}
> >     192.0.2.2  inet  n       -       n       -       -       smtpd
> >       -o smtpd_tls_cert_file=${cert_192_0_2_2}
> >
> >main.cf:
> >     cert_192_0_2_1 = ${config_directory}/192.0.2.1.pem
> >     cert_192_0_2_2 = ${config_directory}/192.0.2.2.pem

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

Stephen Satchell
On 08/04/2014 01:58 PM, Viktor Dukhovni wrote:
> However, this is generally a waste of
> time, nobody cares what the server's banner or EHLO name says.

I care that EHLO contains something reasonable, or I will reject the
connection.  But that's me.

(signed)
Bastard Mail Admin from Hell
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

Viktor Dukhovni
On Mon, Aug 04, 2014 at 02:30:50PM -0700, list wrote:
> On 08/04/2014 01:58 PM, Viktor Dukhovni wrote:
> > However, this is generally a waste of
> > time, nobody cares what the server's banner or EHLO name says.
>
> I care that EHLO contains something reasonable, or I will reject the
> connection.  But that's me.

Wrong direction, I'm talking about the SMTP server banner and EHLO
*response*, you're talking about an SMTP client's EHLO command.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix and Multiple IP's and Certificates

lists@rhsoft.net


Am 04.08.2014 um 23:44 schrieb Viktor Dukhovni:

> On Mon, Aug 04, 2014 at 02:30:50PM -0700, list wrote:
>> On 08/04/2014 01:58 PM, Viktor Dukhovni wrote:
>>> However, this is generally a waste of
>>> time, nobody cares what the server's banner or EHLO name says.
>>
>> I care that EHLO contains something reasonable, or I will reject the
>> connection.  But that's me.
>
> Wrong direction, I'm talking about the SMTP server banner and EHLO
> *response*, you're talking about an SMTP client's EHLO command

yes, but he says "nobody cares what the server's banner or EHLO name says"
is not true until he is not everybody and i agree with that