> On Jul 26, 2017, at 6:01 AM, Z3us Linux <z3us.li...@gmail.com> wrote:
>
> I'm running Postfix with MailScanner as a spamfilter for multiple
> domains/customers.
> Is it possible to create a TLS configuration to force encryption for a set of
> domains with one 1 SSL certificate for the FQDN of the mailserver?
Deploying an RSA 2048-bit key and matching certificate is generally
sufficient to allow clients that support SMTP STARTTLS to employ
opportunistic TLS. See:
http://www.postfix.org/TLS_README.html#quick-start
AND http://www.postfix.org/postfix-tls.1.html
> The MX-records of the hosted domains are pointing to my mailserver
> and my mailserver is forwarding the mail to the destionation mailserver
> of the customer.
Generate a certificate whose DNS subject alternative name is the DNS
name of your MX host as it appears in the MX records of the customer
domains.
> Does the SSL certificate need to contain the domainnames of the
> destination domains?
A few broken senders aside, opportunistic TLS in SMTP does not
validate the server certificate, and it makes little difference
whether the certificate has a matching name, is "expired" or
issued by a CA trusted by the sending SMTP client.
That said, you should generally try to make your certificate
broadly interoperable, and avoid leaving "expired" certificates
in place, or not having the MX hostname as a DNS subject alternative
name. However, you may, and often should employ your own CA, that
will not be known to the sender.
> Or is the FQDN of the active mailserver enough for good encryption?
Some SMTP servers have no names in their certificate at all. See
below my signature for an example. It is not necessarily a good
idea to have such a minimal certificate, but it does interoperate
with the vast majority of sending clients. The 1000-year lifetime
is especially "cute", the administrator of the server in question
truly understands that with opportunistic TLS only the public key
matters, and the certificate is largely devoid of any extraneous
information.
--
Viktor.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c3:26:2b:13:ca:b1:36:72
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Validity
Not Before: Jul 27 14:59:59 2014 GMT
Not After : Nov 27 14:59:59 3013 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:
b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:
cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:
c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:
41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:
0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:
db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:
1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:
70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:
90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:
d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:
c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:
17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:
98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:
64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:
37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:
21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:
1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:
d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:
ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:
a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:
e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:
07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:
97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:
01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:
a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:
77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:
fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:
f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:
5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:
7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:
e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:
10:09:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62:
57:17:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b:
d5:1f:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
X509v3 Authority Key Identifier:
keyid:98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
8d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0:76:f5:1a:86:
da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29:20:6b:05:a3:
88:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b:ed:7d:f4:03:
07:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39:06:54:9e:71:
68:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da:21:dd:14:19:
d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75:b8:07:cc:0a:
62:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05:0e:ef:9b:c0:
98:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d:b1:95:b4:93:
a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf:03:4e:c0:37:
fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0:43:2e:58:6e:
c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56:60:d4:46:48:
d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab:16:6f:f1:04:
e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8:1c:31:59:da:
c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea:b8:95:5a:d3:
d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a:6d:83:fe:bc:
60:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56:a9:0d:d4:fc:
49:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf:5e:d2:0a:7a:
31:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f:f2:98:0c:3d:
d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a:f1:09:50:5d:
88:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0:17:72:ad:e6:
78:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a:7b:fe:0a:fd:
ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80:7e:c9:5f:da:
80:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94:0a:b8:8e:62:
15:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c:8c:fc:c7:83:
df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8:a5:6f:49:16:
c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce:02:e7:4d:6c:
c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89:37:04:a7:85:
62:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07:53:95:6f:42:
9e:2e:32:12:7b:1c:c1:c3
-----BEGIN CERTIFICATE-----
MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw
NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V
tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ
WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y
AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct
FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq
Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G
uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA
U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne
LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb
6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld
t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID
AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw
FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO
Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh
3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2
qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3
tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc
MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK
40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz
U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7
/gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb
xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD
H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM=
-----END CERTIFICATE-----
