Question - TLS Implement with meny under domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Question - TLS Implement with meny under domains

Maurizio Caloro-2

Hello

 

Please i need little understanding help about setup TLS Certification. i plan to implement

this on me farm but here i'am not 100% shure about the concept. For example here i'am run

with a simple DNS Entry "[hidden email]" that will be the postmaster for meny

company, but on the background i have meny different little domain.

 

let me short explain.

                ---> mail.server.ch - that's on front with a public IP Address

                  └--->> 200 people

And inside the Network running here meny other little domain's

                               ----> Tom @ Domain1.ch

                                 └--->> 20 people

                               ----> Joe @ Domain2.ch

                                 └--->> 40 people

                               ----> Mon @ Domain3.ch

                                 └--->> 60 people

if i send now one email to tom @ Domain1.ch this will transfer any time over "mail.server.ch" to reach

[hidden email], also the same way will run now if tom send one Email to Public Internet EmailAddress.

 

Please now to me question, implement TLS, it's here enough if the “mail.server.ch” have a valid TLS Certificate?

So that all the E-mail from the different domains 1,2,3 are signed and trusted!?

 

Thanks and Regards

Mauri

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: Question - TLS Implement with meny under domains

Bernardo Reino
On Thu, 29 Oct 2020, Maurizio Caloro wrote:

> Please i need little understanding help about setup TLS Certification. i
> plan to implement
>
> this on me farm but here i'am not 100% shure about the concept. For example
> here i'am run
>
> with a simple DNS Entry "[hidden email]" that will be the postmaster
> for meny
>
> company, but on the background i have meny different little domain.
>
> [...]

If I understand you correctly you have a number of virtual domains being handled
by one single postfix instance, at your mail.server.ch, i.e. mail.server.ch is
the MX for your "little" domains.

In that case, you only need to have a SSL certificate for mail.server.ch, as
this is the server other servers will talk to when sending mail.

Note that this applies to the transport encryption, i.e. MX<->MX.

If that's not what you mean, then you'll have to explain it differently, or
other people will understand it better :)

Cheers.

Reply | Threaded
Open this post in threaded view
|

Re: Question - TLS Implement with meny under domains

Viktor Dukhovni
On Thu, Oct 29, 2020 at 05:50:53PM +0100, Bernardo Reino wrote:

> If I understand you correctly you have a number of virtual domains being handled
> by one single postfix instance, at your mail.server.ch, i.e. mail.server.ch is
> the MX for your "little" domains.
>
> In that case, you only need to have a SSL certificate for mail.server.ch, as
> this is the server other servers will talk to when sending mail.

Correct.

- The content of TLS certificates in SMTP is by default simply ignored,
  MX-to-MX STARTTLS is unauthenticated, protecting only against passive
  monitoring, not active MiTM attacks.  Therefore, it mostly makes no
  difference what names you have in your certificate, it is just a key
  container.

- A small number of senders fail to implement unauthenticated opportunistic
  TLS correctly, and do insist on a matching name, falling back to
  cleartext (this is idiotic, cleartext is NOT safer than an unvalidated
  certificate) when the certificate fails to validate.  These tend to
  expect to find the MX hostname in the certificate.

- If you have business partners with which you've made mutual
  arrangements to implement mandatory TLS between their domains and
  yours, the certificate should have in it whatever you've agreed
  with the business partners as what they can expect to find and
  validate.  Here, Postfix, for example, when acting as the sending MTA,
  can support matching either the MX hostname or the nexthop domain
  (domain part of recipient addres) or just some explict
  destination-specific name.

- With DANE TLS, and DANE-TA(2) TLSA records, the certificate must
  match the "TLSA base domain", which is almost always just the MX
  hostname.  The only exception is when that hostname is a CNAME that
  ultimately resolves (DNSSEC-validated at every step) to a non-CNAME
  target name, with TLSA records published at _25._tcp.<target_name>.
  In that case the "TLSA base domain" is the target name of the CNAME
  alias chain.

- With MTA-STS, (if you've provisioned that) the certificate must match
  the MX hostname.

So in most cases the certificate should have the MX hostname as one
of its DNS names, but there are other, less common, possibilities.

--
    Viktor.