Using TLS for certain domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Using TLS for certain domains

polloxx
Dear list,

We need to implement TLS for one of our customers using our Postfix infrastructure (serving multiple domains) for inbound mail. The final delivery for that domain is a Exchange server, but we have a anti-virus server in front of that Exchange:  internet -> postfix-relay -> AV-filter -> Exchange.

So we need to enable TLS at out postfix-relay. Lets say our server is called server.ourdomain.tld, and the customerdomain is customerdomain.tld.
Do we need a cert for server.ourdomain.tld, or for customerdomain.tld?
Can we add multiple domains using TLS in the future?

Is this possible?
Can you point me to some good how-to? 

Thx,
P.
Reply | Threaded
Open this post in threaded view
|

Re: Using TLS for certain domains

Noel Jones-2
On 6/7/2013 1:40 PM, polloxx wrote:

> Dear list,
>
> We need to implement TLS for one of our customers using our Postfix
> infrastructure (serving multiple domains) for inbound mail. The
> final delivery for that domain is a Exchange server, but we have a
> anti-virus server in front of that Exchange:  internet ->
> postfix-relay -> AV-filter -> Exchange.
>
> So we need to enable TLS at out postfix-relay. Lets say our server
> is called server.ourdomain.tld, and the customerdomain is
> customerdomain.tld.
> Do we need a cert for server.ourdomain.tld, or for customerdomain.tld?

First read http://www.postfix.org/TLS_README.html
http://www.postfix.org/TLS_README.html#server_vrfy_client

As a general rule, MTAs do opportunistic anonymous TLS, meaning that
TLS is automatically used if both sides support it, but the identity
of neither the sender nor receiver is checked. This is sufficient to
prevent casual eavesdropping or packet snooping, and works fine with
a self-signed certificate. A purchased certificate provides no
additional security in this situation.

If you have end-users connecting directly to your postfix box,
either to submit mail (postfix as an MSA), or to retrieve mail (via
IMAP or POP server software on the same box), a purchased
certificate is helpful so the end-users don't get various "untrusted
server" errors in their desktop mail software.  For this use, a
low-cost certificate (godaddy, rapidssl, etc.) provides the same
level of encryption as a high-dollar certificate (verisign, etc.).

If you need to verify who you're talking to (secure channel), please
see:
http://www.postfix.org/TLS_README.html#server_vrfy_client
http://www.postfix.org/TLS_README.html#client_tls_secure
This does have some limitations, described in the referenced docs.


> Can we add multiple domains using TLS in the future?

For opportunistic TLS, there is noting more to do; all servers and
clients that support TLS will automatically use TLS. For
secure-channel TLS, there is some manual configuration for each
domain you wish to support.



>
> Is this possible?
> Can you point me to some good how-to?

For the general use case, just enable TLS as described in
http://www.postfix.org/TLS_README.html#quick-start
then set both smtp_tls_security_level and smtpd_tls_security_level
to "may" and TLS will just start working.



  -- Noel Jones