separate TLS certificates for virtual domains - how ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

separate TLS certificates for virtual domains - how ?

Zalezny Niezalezny
Hi,

is it possible to setup separate SSL certificates for an each virtual domain ?


Thanks in advance for any support.


Cheers

Konrad
Reply | Threaded
Open this post in threaded view
|

Re: separate TLS certificates for virtual domains - how ?

Viktor Dukhovni

> On Mar 23, 2017, at 7:37 AM, Zalezny Niezalezny <[hidden email]> wrote:
>
> is it possible to setup separate SSL certificates for an each virtual domain ?

Only by using a separate IP address for each domain and a separate smtpd(8)
entry in master.cf.  The Postfix smtpd(8) service does not support SNI-based
certificate selection.  And this is not needed.  Just point all the virtual
domains at a common MX host with a single certificate.

Submission services make for a better use-case of SNI-based certs, but the
supporting code has not yet been written.  Here too a shared server works,
provided you're not hosting domains that want to use a "floating" MSA
name so as not to have to ask users to configure their MUAs when they
switch providers.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: separate TLS certificates for virtual domains - how ?

Mark Constable
On 23/03/17 23:06, Viktor Dukhovni wrote:
>> is it possible to setup separate SSL certificates for an each virtual
>>  domain ?
>
> The Postfix smtpd(8) service does not support SNI-based certificate
> selection. And this is not needed. Just point all the virtual domains
> at a common MX host with a single certificate.

That is not an appropriate answer for my clients who are paying me to
provide them with their own domain identity at a time when it's almost
impossible to get reasonable sized blocks of IPv4 networks. SNI is a real
thing. Dovecot does it, Courier-MTA fully supports SNI on all protocols
and MUAs will work with SNI.

It absolutely insulates hosting clients from having to change their SMTP
server settings when the hosting provider can make the necessary network
adjustments. If that single MX host has to change (ISP buy out or whatever)
then all clients have to make a mail server setting change, if the provider
had the option of using SNI then the clients "vanity" mail server domain
settings can remain unchanged. That's a big deal when there are more than
a few thousand clients involved over periods of decades.

The only valid reason for not using SNI is when a virtual domain must have
a PTR record but a PTR is not always required, for e.g. a Wordpress site
sending out notifications. Even so, the provider can switch a virtual domain
between SNI and a dedicated IP without the client having to make any changes.

Reply | Threaded
Open this post in threaded view
|

Re: separate TLS certificates for virtual domains - how ?

Viktor Dukhovni

> On Mar 23, 2017, at 10:03 AM, Mark Constable <[hidden email]> wrote:
>
> On 23/03/17 23:06, Viktor Dukhovni wrote:
>>> is it possible to setup separate SSL certificates for an each virtual
>>> domain ?
>>
>> The Postfix smtpd(8) service does not support SNI-based certificate
>> selection. And this is not needed. Just point all the virtual domains
>> at a common MX host with a single certificate.
>
> That is not an appropriate answer for my clients who are paying me to
> provide them with their own domain identity at a time when it's almost
> impossible to get reasonable sized blocks of IPv4 networks.

That answer was for the port 25 inbound MX relay host, which can be
changed by updating MX records without any interaction with the users.

You have to decide what to tell your clients, I am just letting *you*
know what Postfix provides in this space.  SNI is largely a non-issue
for MX hosting.  The story is different for MSA hosting...

> SNI is a real
> thing. Dovecot does it, Courier-MTA fully supports SNI on all protocols
> and MUAs will work with SNI.

I am well aware of what SNI is for and how it is used.  This question has
been asked before on this list, you can search the archives for previous
answers.

> It absolutely insulates hosting clients from having to change their SMTP
> server settings when the hosting provider can make the necessary network
> adjustments. If that single MX host has to change (ISP buy out or whatever)
> then all clients have to make a mail server setting change, if the provider
> had the option of using SNI then the clients "vanity" mail server domain
> settings can remain unchanged.

You are conflating MX hosts with MSAs.  Users don't configure their MUAs
to talk to MX hosts.  Sadly, despite RFC 6186, most MUAs do not do SRV
record lookups, and doing so securely would require ubiquitous DNSSEC,
with no barriers to access at hotel networks, airports and other captive
portals.  That's still many years away...

> The only valid reason for not using SNI is when a virtual domain must have
> a PTR record but a PTR is not always required, for e.g. a Wordpress site
> sending out notifications. Even so, the provider can switch a virtual domain
> between SNI and a dedicated IP without the client having to make any changes.

As I said, there is a legitimate use-case for SNI support in the port 587
submission service, but Postfix does not at present have the requisite
feature.  Sorry about that.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: separate TLS certificates for virtual domains - how ?

Mark Constable
On 24/03/17 00:30, Viktor Dukhovni wrote:
> That answer was for the port 25 inbound MX relay host, which can be
> changed by updating MX records without any interaction with the
> users.
>[...]
> You are conflating MX hosts with MSAs.  Users don't configure their
> MUAs to talk to MX hosts.

Not quite. In my case the virtual host for the MX record and what is
autoconfig'd for the users 465/SSL outgoing mail server setting (I don't
provide 587/TLS MSA ports) is the same virtual host so coincidently the
MX host is the same as the MUA outgoing mailserver setting. Where I said
SMTP I meant SMTPS so that would have confused my point and the MX
reference is, as mentioned, coincidentally the same as the SMTPS host.

As for port 25/TLS I can set up 2 courier-mta mailservers to optionally
use TLS in SNI mode so unauthenticated traffic between them is encrypted
while still being able to accept general non-TLS connections.

> As I said, there is a legitimate use-case for SNI support in the port 587
> submission service, but Postfix does not at present have the requisite
> feature.  Sorry about that.

Sure but if I and some other folks keep pointing out how it could help
postfix providers and end users alike then maybe some day it will be.