Thank you Viktor! Totally clear to me now. Greetings
2017-07-26 16:43 GMT+02:00 Viktor Dukhovni <postfix-us...@dukhovni.org>: > > > On Jul 26, 2017, at 6:01 AM, Z3us Linux <z3us.li...@gmail.com> wrote: > > > > I'm running Postfix with MailScanner as a spamfilter for multiple > domains/customers. > > Is it possible to create a TLS configuration to force encryption for a > set of domains with one 1 SSL certificate for the FQDN of the mailserver? > > Deploying an RSA 2048-bit key and matching certificate is generally > sufficient to allow clients that support SMTP STARTTLS to employ > opportunistic TLS. See: > > http://www.postfix.org/TLS_README.html#quick-start > AND http://www.postfix.org/postfix-tls.1.html > > > The MX-records of the hosted domains are pointing to my mailserver > > and my mailserver is forwarding the mail to the destionation mailserver > > of the customer. > > Generate a certificate whose DNS subject alternative name is the DNS > name of your MX host as it appears in the MX records of the customer > domains. > > > Does the SSL certificate need to contain the domainnames of the > > destination domains? > > A few broken senders aside, opportunistic TLS in SMTP does not > validate the server certificate, and it makes little difference > whether the certificate has a matching name, is "expired" or > issued by a CA trusted by the sending SMTP client. > > That said, you should generally try to make your certificate > broadly interoperable, and avoid leaving "expired" certificates > in place, or not having the MX hostname as a DNS subject alternative > name. However, you may, and often should employ your own CA, that > will not be known to the sender. > > > Or is the FQDN of the active mailserver enough for good encryption? > > Some SMTP servers have no names in their certificate at all. See > below my signature for an example. It is not necessarily a good > idea to have such a minimal certificate, but it does interoperate > with the vast majority of sending clients. The 1000-year lifetime > is especially "cute", the administrator of the server in question > truly understands that with opportunistic TLS only the public key > matters, and the certificate is largely devoid of any extraneous > information. > > -- > Viktor. > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > c3:26:2b:13:ca:b1:36:72 > Signature Algorithm: sha256WithRSAEncryption > Issuer: > Validity > Not Before: Jul 27 14:59:59 2014 GMT > Not After : Nov 27 14:59:59 3013 GMT > Subject: > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (4096 bit) > Modulus: > 00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30: > b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15: > cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3: > c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7: > 41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03: > 0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80: > db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e: > 1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb: > 70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d: > 90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6: > d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6: > c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17: > 17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e: > 98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2: > 64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc: > 37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11: > 21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8: > 1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b: > d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55: > ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47: > a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf: > e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66: > 07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3: > 97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e: > 01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36: > a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13: > 77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b: > fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb: > f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02: > 5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68: > 7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be: > e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc: > 10:09:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62: > 57:17:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b: > d5:1f:9b > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > 98:C6:9B:D5:20:5C:1D:A8:31:39: > BD:78:11:37:FF:BD:AD:5B:BD:59 > X509v3 Authority Key Identifier: > keyid:98:C6:9B:D5:20:5C:1D:A8: > 31:39:BD:78:11:37:FF:BD:AD:5B:BD:59 > > X509v3 Basic Constraints: > CA:TRUE > Signature Algorithm: sha256WithRSAEncryption > 8d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0:76:f5:1a:86: > da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29:20:6b:05:a3: > 88:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b:ed:7d:f4:03: > 07:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39:06:54:9e:71: > 68:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da:21:dd:14:19: > d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75:b8:07:cc:0a: > 62:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05:0e:ef:9b:c0: > 98:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d:b1:95:b4:93: > a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf:03:4e:c0:37: > fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0:43:2e:58:6e: > c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56:60:d4:46:48: > d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab:16:6f:f1:04: > e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8:1c:31:59:da: > c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea:b8:95:5a:d3: > d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a:6d:83:fe:bc: > 60:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56:a9:0d:d4:fc: > 49:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf:5e:d2:0a:7a: > 31:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f:f2:98:0c:3d: > d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a:f1:09:50:5d: > 88:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0:17:72:ad:e6: > 78:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a:7b:fe:0a:fd: > ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80:7e:c9:5f:da: > 80:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94:0a:b8:8e:62: > 15:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c:8c:fc:c7:83: > df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8:a5:6f:49:16: > c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce:02:e7:4d:6c: > c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89:37:04:a7:85: > 62:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07:53:95:6f:42: > 9e:2e:32:12:7b:1c:c1:c3 > -----BEGIN CERTIFICATE----- > MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw > NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA > A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V > tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ > WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y > AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct > FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq > Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G > uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA > U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne > LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb > 6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld > t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID > AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw > FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B > AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO > Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh > 3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2 > qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3 > tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc > MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK > 40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz > U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7 > /gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb > xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD > H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM= > -----END CERTIFICATE----- > >
