STARTTLS SNI Support?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

STARTTLS SNI Support?

Ralf Hildebrandt
(Not my question, but since Victor doesn't do offlist mails...)

I am interested to learn how multiple x.509 certificates/hostnames are
supported by postfix.

Patrick suggested you can use SubjectAlternativeName to have multiple
hostnames, which is ok if you self-generate certificates.

I wonder if there is a way to integrate SNI with STARTTLS. It might be a
problem because the localpart @domain.tld is only known after the rcpt-to
line is given. SNI should allow multiple certificate files.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de                              I'm looking for a job
You know what to do: Go back to IRC. Do not followup to this post and
do not collect any Usenet credits.
Reply | Threaded
Open this post in threaded view
|

Re: STARTTLS SNI Support?

Wietse Venema
Ralf Hildebrandt:
> (Not my question, but since Victor doesn't do offlist mails...)

Victor is not on the list in August.

> I am interested to learn how multiple x.509 certificates/hostnames are
> supported by postfix.

The Postfix SMTP client supports one server certificate per
connection:

      Another area where RFCs aren't always explicit is the handling
      of dNSNames in peer certificates. RFC 3207 (SMTP over TLS)
      does not mention dNSNames. Postfix follows the strict rules
      in RFC 2818 (HTTP over TLS), section 3.1: The Subject
      Alternative Name/dNSName has precedence over CommonName.  If
      at least one dNSName is provided, Postfix verifies those
      against the peer hostname and ignores the CommonName, otherwise
      Postfix verifies the CommonName against the peer hostname.

> Patrick suggested you can use SubjectAlternativeName to have multiple
> hostnames, which is ok if you self-generate certificates.
>
> I wonder if there is a way to integrate SNI with STARTTLS. It might be a
> problem because the localpart @domain.tld is only known after the rcpt-to
> line is given. SNI should allow multiple certificate files.

As far as I know, the Postfix SMTP server does not care about names
in client certificates.

        Wietse