many le ssl certs assigned to postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

many le ssl certs assigned to postfix

Poliman - Serwis
I have server created based on Perfect Server tutorial for Ubuntu 16.04. Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs as possible? I have 20 domains on the server but postfix uses ispserver.crt and ispserver.key certs generated by letsencrypt:

lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert -> /usr/local/ispconfig/interface/ssl/ispserver.crt
lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key -> /usr/local/ispconfig/interface/ssl/ispserver.key

which are from:

lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt -> /etc/letsencrypt/live/s1.example.net/fullchain.pem
lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key -> /etc/letsencrypt/live/s1.example.net/privkey.pem


For each domain except server fqdn I have certificate mismatch in mail client. Sending emails works but I would like to fix certs mismatch.


--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Matus UHLAR - fantomas
On 25.05.18 12:41, Poliman - Serwis wrote:
> I have server created based on Perfect Server tutorial for Ubuntu 16.04.
>Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs
>as possible?

why? is it a problem to generate single Let's Encrypt certificate for
multiple domains?

> I have 20 domains on the server but postfix uses ispserver.crt
>and ispserver.key certs generated by letsencrypt:
>
>lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert ->
>/usr/local/ispconfig/interface/ssl/ispserver.crt
>lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key ->
>/usr/local/ispconfig/interface/ssl/ispserver.key
>
>which are from:
>
>lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt ->
>/etc/letsencrypt/live/s1.example.net/fullchain.pem
>lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key ->
>/etc/letsencrypt/live/s1.example.net/privkey.pem
>
>
>For each domain except server fqdn I have certificate mismatch in mail
>client. Sending emails works but I would like to fix certs mismatch.

unless you have multiple IP addresses on your server (in which case you can
configure multiple smtpd services on them, each one with different
certificate), you will need server-side SNI (server name indication) on
postfix then.

other trick I have noticed is to use SNI-capable reverse SSL proxy.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Poliman - Serwis
Thank you for answer. I see that link for Perfect Server is not attached. Here is the link https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/2/
Each lets encrypt ssl cert is generated by ISPconfig3. I am affraid when I generate one lets encrypt cert for all domains I will break cert generation from ISPconfig panel. Besides how to connect this way generated cert to postfix?

2018-05-25 14:57 GMT+02:00 Matus UHLAR - fantomas <[hidden email]>:
On 25.05.18 12:41, Poliman - Serwis wrote:
I have server created based on Perfect Server tutorial for Ubuntu 16.04.
Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs
as possible?

why? is it a problem to generate single Let's Encrypt certificate for
multiple domains?

I have 20 domains on the server but postfix uses ispserver.crt
and ispserver.key certs generated by letsencrypt:

lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert ->
/usr/local/ispconfig/interface/ssl/ispserver.crt
lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key ->
/usr/local/ispconfig/interface/ssl/ispserver.key

which are from:

lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt ->
/etc/letsencrypt/live/s1.example.net/fullchain.pem
lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key ->
/etc/letsencrypt/live/s1.example.net/privkey.pem


For each domain except server fqdn I have certificate mismatch in mail
client. Sending emails works but I would like to fix certs mismatch.

unless you have multiple IP addresses on your server (in which case you can
configure multiple smtpd services on them, each one with different
certificate), you will need server-side SNI (server name indication) on
postfix then.

other trick I have noticed is to use SNI-capable reverse SSL proxy.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Benny Pedersen-2
In reply to this post by Matus UHLAR - fantomas
Matus UHLAR - fantomas skrev den 2018-05-25 14:57:

> On 25.05.18 12:41, Poliman - Serwis wrote:
>> I have server created based on Perfect Server tutorial for Ubuntu
>> 16.04.
>> Is it possible to assign to postfix/dovecot as many lets encrypt ssl
>> certs
>> as possible?
>
> why? is it a problem to generate single Let's Encrypt certificate for
> multiple domains?
>
>> I have 20 domains on the server but postfix uses ispserver.crt
>> and ispserver.key certs generated by letsencrypt:
>>

one seerver one problem, multiple cers, multiple problems
back to ispconfig:

ispconfig could create one single csr that are signed by le, and thus
people can use there own ssl signed certs, it will be like gmail.com  is
seen in google.com ssl

but all this mess will get more management to be done without any
benefit at all
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Benny Pedersen-2
In reply to this post by Poliman - Serwis
Poliman - Serwis skrev den 2018-05-25 15:10:
> Thank you for answer. I see that link for Perfect Server is not
> attached. Here is the link
> https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/2/

so thats perfect for your server to make ssl perfect

>  Each lets encrypt ssl cert is generated by ISPconfig3. I am affraid
> when I generate one lets encrypt cert for all domains I will break
> cert generation from ISPconfig panel. Besides how to connect this way
> generated cert to postfix?

why care of hosted domainss if your server is perfekt in terms of ssl ?

it does not mattere if you have more then one domain or not, it will be
same problem with 1 milllion domains hosted

what signer will allow 1 milllion hosted domain in one ssl cert ? :=)

openssl supports it, but its not a well good way to follow

it will generatte unstable dns problems
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Wietse Venema
In reply to this post by Poliman - Serwis
Poliman - Serwis:

>  I have server created based on Perfect Server tutorial for Ubuntu 16.04.
> Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs
> as possible? I have 20 domains on the server but postfix uses ispserver.crt
> and ispserver.key certs generated by letsencrypt:
>
> lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert ->
> /usr/local/ispconfig/interface/ssl/ispserver.crt
> lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key ->
> /usr/local/ispconfig/interface/ssl/ispserver.key
>
> which are from:
>
> lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt ->
> /etc/letsencrypt/live/s1.example.net/fullchain.pem
> lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key ->
> /etc/letsencrypt/live/s1.example.net/privkey.pem
>
>
> For each domain except server fqdn I have certificate mismatch in mail
> client. Sending emails works but I would like to fix certs mismatch.

Postfix does not yet support SNI, so you would need to update master.,cf
with one smtpd definition per IP address with its own smtpd_tls_*cert_file
and smtpd_tls_*key_file.

But why? SMTP is not HTTP. With SMTP, the MX records for different
domains can contain the same SMTP server hostname.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Poliman - Serwis
Thank you for advices but how setup different SMTP in MX record if MX record determine pop3/imap and smtp servers? Do you mean set few MX records with few mailservers? Currently I only know that I could configure few MX records with few mailservers with different priority. I would like to underline I could not understand you properly.

2018-05-25 15:51 GMT+02:00 Wietse Venema <[hidden email]>:
Poliman - Serwis:
>  I have server created based on Perfect Server tutorial for Ubuntu 16.04.
> Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs
> as possible? I have 20 domains on the server but postfix uses ispserver.crt
> and ispserver.key certs generated by letsencrypt:
>
> lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.cert ->
> /usr/local/ispconfig/interface/ssl/ispserver.crt
> lrwxrwxrwx 1 root root       48 Mar 13 07:42 smtpd.key ->
> /usr/local/ispconfig/interface/ssl/ispserver.key
>
> which are from:
>
> lrwxrwxrwx 1 root root   50 Nov  3  2017 ispserver.crt ->
> /etc/letsencrypt/live/s1.example.net/fullchain.pem
> lrwxrwxrwx 1 root root   48 Nov  3  2017 ispserver.key ->
> /etc/letsencrypt/live/s1.example.net/privkey.pem
>
>
> For each domain except server fqdn I have certificate mismatch in mail
> client. Sending emails works but I would like to fix certs mismatch.

Postfix does not yet support SNI, so you would need to update master.,cf
with one smtpd definition per IP address with its own smtpd_tls_*cert_file
and smtpd_tls_*key_file.

But why? SMTP is not HTTP. With SMTP, the MX records for different
domains can contain the same SMTP server hostname.

        Wietse



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Ansgar Wiechers
On 2018-05-28 Poliman - Serwis wrote:
> Thank you for advices but how setup different SMTP in MX record if MX
> record determine pop3/imap and smtp servers? Do you mean set few MX
> records with few mailservers? Currently I only know that I could
> configure few MX records with few mailservers with different priority.
> I would like to underline I could not understand you properly.

MX records only ever specify the servers designated for RECEIVING
INBOUND mail for a domain. They say nothing about POP or IMAP (or
which servers will handle outbound mail for that matter).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Ansgar Wiechers
Please do not reply off-list.

On 2018-05-28 Poliman - Serwis wrote:

> 2018-05-28 13:18 GMT+02:00 Ansgar Wiechers <[hidden email]>:
>> On 2018-05-28 Poliman - Serwis wrote:
>>> Thank you for advices but how setup different SMTP in MX record if
>>> MX record determine pop3/imap and smtp servers? Do you mean set few
>>> MX records with few mailservers? Currently I only know that I could
>>> configure few MX records with few mailservers with different
>>> priority. I would like to underline I could not understand you
>>> properly.
>>
>> MX records only ever specify the servers designated for RECEIVING
>> INBOUND mail for a domain. They say nothing about POP or IMAP (or
>> which servers will handle outbound mail for that matter).
>
> Thank you for answer. How to understand what Wietse said: " SMTP is
> not HTTP. With SMTP, the MX records for different domains can contain
> the same SMTP server hostname. " comparing to your answer - why he
> says SMTP server hostname instead of just server hostname? Receiving
> inbound emails means receiving emails for pop/imap services or between
> mail servers?

An MX record doesn't necessarily have to specify a server from its own
doamin. You can specify a server mail.example.org as the mail handler
for the domain example.com and example.net (via an MX record in the
zones of those domains).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time
learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Poliman - Serwis
Ok I understood. Thank you guys. I will set for each domain server fqdn as MX for which is added ssl cert. All things should go well then.

2018-05-28 16:26 GMT+02:00 Ansgar Wiechers <[hidden email]>:
Please do not reply off-list.

On 2018-05-28 Poliman - Serwis wrote:
> 2018-05-28 13:18 GMT+02:00 Ansgar Wiechers <[hidden email]>:
>> On 2018-05-28 Poliman - Serwis wrote:
>>> Thank you for advices but how setup different SMTP in MX record if
>>> MX record determine pop3/imap and smtp servers? Do you mean set few
>>> MX records with few mailservers? Currently I only know that I could
>>> configure few MX records with few mailservers with different
>>> priority. I would like to underline I could not understand you
>>> properly.
>>
>> MX records only ever specify the servers designated for RECEIVING
>> INBOUND mail for a domain. They say nothing about POP or IMAP (or
>> which servers will handle outbound mail for that matter).
>
> Thank you for answer. How to understand what Wietse said: " SMTP is
> not HTTP. With SMTP, the MX records for different domains can contain
> the same SMTP server hostname. " comparing to your answer - why he
> says SMTP server hostname instead of just server hostname? Receiving
> inbound emails means receiving emails for pop/imap services or between
> mail servers?

An MX record doesn't necessarily have to specify a server from its own
doamin. You can specify a server mail.example.org as the mail handler
for the domain example.com and example.net (via an MX record in the
zones of those domains).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time
learning."
--Joel Spolsky



--
Pozdrawiam / Best Regards
Piotr Bracha
dln
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

dln
Apologies if 'jumping in'.

The advice to use the MX record to 'redirect' email for client-domain.net to
mail.server.com (for example) will work happily.

However (referring to the OP's use case), won't the client (say a
Thunderbird user) be presented with the LE certificate for server.com and
not one from his own "client-domain"?

Such an appearance may cause confusion/distrust? (and perhaps it should!)

Your thoughts? =dn



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Viktor Dukhovni
On Thu, Jul 19, 2018 at 11:15:34PM -0700, dln wrote:

> The advice to use the MX record to 'redirect' email for client-domain.net to
> mail.server.com (for example) will work happily.
>
> However (referring to the OP's use case), won't the client (say a
> Thunderbird user) be presented with the LE certificate for server.com and
> not one from his own "client-domain"?
>
> Such an appearance may cause confusion/distrust? (and perhaps it should!)
>
> Your thoughts? =dn

In my not so copious spare time, I'm working on server-side SNI support for
Postfix.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Olivier Nicole-2
> The advice to use the MX record to 'redirect' email for client-domain.net to
> mail.server.com (for example) will work happily.
>
> However (referring to the OP's use case), won't the client (say a
> Thunderbird user) be presented with the LE certificate for server.com and
> not one from his own "client-domain"?

I don't think so.

When following the MX reccord, the client will know that to send mail to
client-domain.net it should contact mail.server.com and doing so it will
receive the certificate of mail.server.com and the certificate will
corresponds to the maichine the client is contacting and all should be
nice and shiny.

Certificate should match the server you are connected to, independently
of the final mail recipient.

In fact, all my clients are forced to use my mail gateway, and doing so,
they are presented with the certificate of my mail gateway, whoever they
are sending a mail to.

Best regards,

Olivier
--
Reply | Threaded
Open this post in threaded view
|

Re: many le ssl certs assigned to postfix

Bill Cole-3
In reply to this post by dln
On 20 Jul 2018, at 2:15 (-0400), dln wrote:

> The advice to use the MX record to 'redirect' email for
> client-domain.net to
> mail.server.com (for example) will work happily.

Indeed, as it has worked for decades.

> However (referring to the OP's use case), won't the client (say a
> Thunderbird user)

No, MUAs do not generally chase MX records. MX records exist to instruct
MTAs on where to pass mail for non-local domains. MUAs use explicit
names for MSAs, either by manual configuration or via automated config
schemes like ACAP.

> be presented with the LE certificate for server.com and
> not one from his own "client-domain"?

This is not a problem. In the MTA-MTA case the sender has resolved a MX
record to a name with an A record, which should be a valid subject name
for the receiver's certificate. In the MUA-MSA case the client has an
explicitly configured name which should be a valid subject name for the
server's certificate OR should resolve to such a name via a CNAME
record.

> Such an appearance may cause confusion/distrust?

I've been managing SSL/TLS-capable mail systems for as long as that has
been possible, using multiple versions of multiple MTA/MSA packages with
clients of all sorts and I have never seen a client complain about a
valid MSA certificate whose names include the one that the client has
been configured to use. I have never seen a sending MTA  allow
certificate name or trust chain issues to persistently impede delivery
and only rarely to persistently force fallback to sending in the clear.

The reason these theoretical problems are not actual problems in the
real world is that for many years the most common mode of using TLS for
SMTP was with self-signed certificates (because that is in fact adequate
without trustworthy DNS) and mail submission was commonly done over port
25 just like transport. Because of that history, interoperability
concerns have kept most mail software from being strict about
certificate validity by default.

> (and perhaps it should!)

Probably not in most cases for mail transport (i.e. governed by MX
records) but it is already true that many client TLS implementations are
not tolerant of some sorts of subject name mismatch for MSAs, which is
as it should be.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole