On Wed, Mar 18, 2009 at 06:06:57PM -0000, Paul Hutchings wrote:
> I believe there are some issues that can be specific to wildcard certs
> (Server Alternate Names has cropped up) that can mitigate this, but in
> short, is it a good idea or a terrible idea?
For MX hosts, self-signed certs are the norm, and mail will be delivered
regardless of the cert content (or via an anonymous cipher-suite using
no certs at all if the client is Postfix). You only need validated certs
when:
- You operate submission servers for MUAs that use STARTTLS or SSL,
MUAs will complain if the cert does not match the configured SMTP
server name.
- You negotiate "secure-channel" relationships with business partners,
where the business partners enforce TLS for mail sent to you and
validate your certificate.
As for "wildcard" certs, Postfix only supports one level of sub-domains,
so *.example.com will match mail1.example.com, but will NOT match
mail1.us.example.com. Thus, for example, with ml.com's MX records:
ml.com. 5M IN MX 200 ml.com.mail6.psmtp.com.
ml.com. 5M IN MX 300 ml.com.mail7.psmtp.com.
ml.com. 5M IN MX 400 ml.com.mail8.psmtp.com.
ml.com. 5M IN MX 100 ml.com.mail5.psmtp.com.
Postini's wildcard SSL cert can only be matched via policy table entries of
the form:
- Exact:
# Note "*" here is a literal value, not a "glob".
ml.com secure match=*.psmtp.com
- Fuzzy:
# The ".psmtp.com" parent domain will match "*.psmtp.com".
ml.com secure match=.psmtp.com
The main reason for the wildcard cert is probably the license structure
allowing the same cert on thousands of servers, rather than any
expectation that the CN will match something useful:
s:/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/OU=Terms of
use at www.verisign.com/rpa (c)05/CN=*.psmtp.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFOTCCBCGgAwIBAgIQSbD42JBNuQhTFArYUneAVjANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA4MTAyODAwMDAw
MFoXDTA5MTIwMjIzNTk1OVowgawxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMRUwEwYDVQQHFAxSZWR3b29kIENpdHkxFjAUBgNVBAoUDVBvc3Rpbmks
IEluYy4xDjAMBgNVBAsUBVBTTVRQMTMwMQYDVQQLFCpUZXJtcyBvZiB1c2UgYXQg
d3d3LnZlcmlzaWduLmNvbS9ycGEgKGMpMDUxFDASBgNVBAMUCyoucHNtdHAuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDd/Cplt6fQFJWe6K1QAZQeOoRV
x2sgFoOjQlPAminFjLRucEnX36CBFEf8drtOGOZL050CwRA9fZao0INgiAOwTghH
FEoQx5xRwURaZfw1US5gJaPH98JrbS9emlxZf64aE19ZA5PkOPhpCvT3KBiCOi27
6PSH/imxPzPWuV0X8wIDAQABo4IB0zCCAc8wCQYDVR0TBAIwADALBgNVHQ8EBAMC
BaAwRAYDVR0fBD0wOzA5oDegNYYzaHR0cDovL1NWUlNlY3VyZS1jcmwudmVyaXNp
Z24uY29tL1NWUlNlY3VyZTIwMDUuY3JsMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEH
FwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUb+yvoN2K
pO/1KhBnLT9VgrzX7yUweQYIKwYBBQUHAQEEbTBrMCQGCCsGAQUFBzABhhhodHRw
Oi8vb2NzcC52ZXJpc2lnbi5jb20wQwYIKwYBBQUHMAKGN2h0dHA6Ly9TVlJTZWN1
cmUtYWlhLnZlcmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LWFpYS5jZXIwbgYIKwYB
BQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUS2u5
KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3Zz
bG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBJz6Qb4J417ITXQfxzQd7jzCZS
nXSz3Pq4IgLKloeJKpQuI1+J7WcPd+PE6PciMfi6+I+gdhnxLUNeFpzf5r/3Bsou
WG7praXItd+ZWMrnTbCRFVVy/GwLBdg/8rBcwZ10xDAQTQd8o4uM15FYgOF+Dq9z
ykJSQSP9J57DxsZ2zL1usO1HIKKt7tApWEDGFvbh9s7nM03ocT1D1rVkfcmTjP9a
qp7DBiyUgdW+ycFvy/NYIjeYcVJ90p7Fh0q5M1UGnxgMWeLCD7zSJxPYW+4fVFj+
qRNpq7ceDelYKPdj2bfNZEXywgkxFIYqadJSIQb6mhJP4ljeRfSW4U1iSSxO
-----END CERTIFICATE-----
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
