On 6/7/2013 1:40 PM, polloxx wrote: > Dear list, > > We need to implement TLS for one of our customers using our Postfix > infrastructure (serving multiple domains) for inbound mail. The > final delivery for that domain is a Exchange server, but we have a > anti-virus server in front of that Exchange: internet -> > postfix-relay -> AV-filter -> Exchange. > > So we need to enable TLS at out postfix-relay. Lets say our server > is called server.ourdomain.tld, and the customerdomain is > customerdomain.tld. > Do we need a cert for server.ourdomain.tld, or for customerdomain.tld?
First read http://www.postfix.org/TLS_README.html http://www.postfix.org/TLS_README.html#server_vrfy_client As a general rule, MTAs do opportunistic anonymous TLS, meaning that TLS is automatically used if both sides support it, but the identity of neither the sender nor receiver is checked. This is sufficient to prevent casual eavesdropping or packet snooping, and works fine with a self-signed certificate. A purchased certificate provides no additional security in this situation. If you have end-users connecting directly to your postfix box, either to submit mail (postfix as an MSA), or to retrieve mail (via IMAP or POP server software on the same box), a purchased certificate is helpful so the end-users don't get various "untrusted server" errors in their desktop mail software. For this use, a low-cost certificate (godaddy, rapidssl, etc.) provides the same level of encryption as a high-dollar certificate (verisign, etc.). If you need to verify who you're talking to (secure channel), please see: http://www.postfix.org/TLS_README.html#server_vrfy_client http://www.postfix.org/TLS_README.html#client_tls_secure This does have some limitations, described in the referenced docs. > Can we add multiple domains using TLS in the future? For opportunistic TLS, there is noting more to do; all servers and clients that support TLS will automatically use TLS. For secure-channel TLS, there is some manual configuration for each domain you wish to support. > > Is this possible? > Can you point me to some good how-to? For the general use case, just enable TLS as described in http://www.postfix.org/TLS_README.html#quick-start then set both smtp_tls_security_level and smtpd_tls_security_level to "may" and TLS will just start working. -- Noel Jones