Re: postfix and multiple TLS certificates (SNI support?)

Tue, 15 Dec 2015 02:01:03 -0800 

Yes.
Its just a draft.
The problem I see is if you send the following (assuming the following MX setup:) 
Example:
emailservice1.com MX smtp1.example.org
emailservice2.com MX smtp1.example.org

Example SMTP transaction:

220 smtp1.example.org SMTP server ready
EHLO senderdomain.com
250-senderdomain.com hello
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-STARTTLS
250-AUTH
250 HELP
STARTTLS
(encrypted transaction follows)
MAIL FROM:<ad...@senderdomain.com>
250 Sender is okay
RCPT TO:<recipie...@emailservice1.com>
250 Recipient accepted
RCPT TO:<recipie...@emailservice2.com>
250 Recipient accepted
DATA
354 Send message data, end with a .
blah blah
.
250 Message queued for delivery
QUIT
250 Goodbye
Disconnected from host.
Which certificate should the server use for the encrypted transaction, even if we use SNI? 
emailservice1.com or emailservice2.com?
So there is the problem, and why there is a need to use the MX identity to tie the certificate to the server. To protect against modified MX data, DNSSEC has to be used instead.
-----Ursprungligt meddelande----- From: Michael Ströder 
Sent: Tuesday, December 15, 2015 10:51 AM
To: Sebastian Nielsen ; postfix-users@postfix.org
Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed]

Sebastian Nielsen wrote:
The certificate is normally validated against the MX name, not recipient domain. 

Did you read the referenced I-D before replying?

https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1

Ciao, Michael.
"Michael Ströder" <mich...@stroeder.com> skrev: (15 december 2015 10:12:56 CET) 
Viktor Dukhovni wrote:

So, we've managed to hold off on offering SNI support for a decade
since TLS was integrated into Postfix 2.2.  I just wanted to see
whether anyone still wanted it in Postfix, but perhaps if they
really did they've moved on to other solutions.


SNI is a prerequisite for implementing something like [1] if a host is
MX for
more than one recipient domain.

Ciao, Michael.

[1] https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to