Re: Correct cert handling when hosting multiple domains?

Mon, 08 Sep 2014 17:07:52 -0700 

On Mon, Sep 08, 2014 at 04:43:36PM -0700, Quanah Gibson-Mount wrote:

> A number of our zimbra customers deploy where they are hosting accounts for
> multiple domains (At least one client hosts over 100,000 domains).  These
> deployments generally use a single set of MTAs for their MX records, which
> works fine as long as TLS is not involved.  However, with the increasing
> desire for security, our clients are becoming quite interested in enabling
> TLS at the smtpd layer.

Which works just fine with a single certificate, because TLS in
SMTP in generally unauthenticated.  If all the various domains
share the same MX hostnames, many implementations that log
"speculative" authentication results (no actual enforcement, just
logging that a given session happened to appear to not be MiTMed)
will match the MX host against the shared certificate.

> At this time, it appears Postfix only accepts a single TLS key/cert pair for
> the smtpd process.  Any thoughts on how to handle multi-domain support
> requirements for the smtpd process?

No such plans.  For real SMTP authentication, the server domain
needs to employ DANE:

    https://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane

> domain1.        IN      MX      10 mail-relay1.domain1.
> domain1.        IN      MX      20 mail-relay2.domain1.
> 
> domain2.        IN      MX      20 sky.domain1.
> domain2.        IN      MX      10 mail.domain2.
>
> domain3.        IN      MX      10 mail.domain2.
> domain3.        IN      MX      20 sky.domain1.

Needlessly different MX hostnames.

> Or is my only option to do something like set up multiple IPs for postfix,
> with an smtpd assigned to each IP?  Something like:
> 
> 10.0.0.101:25 inet . . . smtpd
>   -o smtpd_tls_cert_file=domain1.pem
>   -o smtpd_tls_key_file=domain1.key
> 10.0.0.102:25 inet . . . smtpd
>   -o smtpd_tls_cert_file=domain2.pem
>   -o smtpd_tls_key_file=domain2.key
> 10.0.0.103:25 inet . . . smtpd
>   -o smtpd_tls_cert_file=domain3.pem
>   -o smtpd_tls_key_file=domain3.ky

Today, opportunistic TLS works with a fixed self-signed certificate
that equally fails to be authenticated for all domains.

Authentication of MX hostnames, without DNSSEC offers little
protection, the MiTM can spoof the MX records.  With DNSSEC the
receiving system should publish DANE-EE(3) TLSA RRs which ignore
the certificate subject name.

Do not deploy per-domain SMTP certificates, they are a bad idea.
Typically, this requires periodic installation of private keys from
the owners of the hosted domains, SNI, and lots of related needless
pain.  Postfix will not inflict this broken model on anyone.

-- 
        Viktor.

Reply via email to