Dear Rob (I hope that is your name), Thank you for your views/suggestion. My replies are inline tagged with my name, as in [Nitin:]
On Sat, Feb 11, 2017 at 8:53 PM, /dev/rob0 <r...@gmx.co.uk> wrote: > On Sat, Feb 11, 2017 at 01:55:26PM +0530, Nitin N wrote: > > Now, I have to migrate to a new server that is running FreeBSD 11. > > I need to support 4 domains on this single server with each domain > > having its own Trusted CA certified SSL digital certificate. > > > > I can think of three ways to accomplish this and I am looking for > > some guidance based on your knowledge/experience with Postfix. > > > > Method 1] > > > > Use virtual domains on a single Postfix instance and override > > master.cf to take care of the individual SSL certificate for each > > domain using a separate IP in each case. Based on my research, I > > believe this could get complicated with Postscreen and other > > milters enabled. So I am not too keen on going this path. Correct > > me if I am wrong... > > Postscreen (which, BTW, is *not* a milter) and submission do not play > well together. If you must accept submission on port 25, do so with > a distinct IP address which isn't published as MX for any of your > domains, and only accept authenticated users there. > > If there's only one IP address and you cannot fix the problem of mail > users submitting mail on port 25, you're probably going to have to > disable postscreen. > > Certificates only matter on submission, and there only if your user > base is large and beyond your control, such as at an ISP or > university. Small-timers can just tell their users, "this is the TLS > certificate we're using, accept it." > [Nitin:] Yes I do understand Postscreen is not a milter. Method 4 what you suggested below is more or less what my current configuration looks like i.e. my Method 1. > > > Method 2] > > > > Use postmulti and create a separate instance for each domain. In > > this case, I am not sure how complex it might get if I want to > > create further instances for each domain to handle outgoing, > > incoming and null-client scenarios. > > Why would you want to do this? If you're seeking Perfect Headers, > why? Users mostly can't read nor understand headers. > [Nitin:] One reason why we would like to have Perfect Headers is that one of the domains is a B2C platform where many users can register. We want to reduce all possibilities (as much as we can) of our first email to these users from getting marked as Spam. So, we believe having a CA Trusted certificate might just add some more credibility in this scenario. Honestly, I am not sure if we are being paranoid here since you mention below that MTAs don't really verify if the certificate used by another MTA is in fact Trusted or not. > > > Method 3] > > > > Use FreeBSD jails for each domain and a common jail for all the > > spam/virus protection services and use a proxy + NAT on the main > > host. This could also help me use postmulti in each jail in case I > > need to have multiple instances based on functions. > > > > So based on your experience/expertise, which method would you > > recommend? > > [Nitin:] Seems like not many have tried Method 3]. I think it might be a good path to take from a scalability/security point of view, although Jails do add some additional overhead from a maintenance perspective. > Method 4: use a single IP address for mail, tell users what name it > is (no reason why that name has to be "in their domain"), tell them > what certificate they need to accept in their MUAs. Offer and accept > AUTH only on port 587; accept mail exchange only on port 25. > > Your question and stated 3 methods indicate you don't understand much > about the place of TLS in SMTP. Yes, a user sending mail through > your server needs to check (and to trust) your certificate, but > remote MTAs will usually not ask for it and do not care. > > > Further, do you think I can stop using Postgrey as I also have > > Postscreen enabled? > > With after-220 tests enabled, postscreen will easily block anything > postgrey might have blocked. Also, greylisting, ISTM, is mostly > defeated by spammers' current methods. It's typical for zombies to > go through their lists more than once. > > [Nitin:] Thanks, so that means it bye-bye Postgrey, thanks to Postscreen :) > > I look forward to your responses. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >
