Re: many le ssl certs assigned to postfix

Sun, 22 Jul 2018 18:01:23 -0700 

On 20 Jul 2018, at 2:15 (-0400), dln wrote:
The advice to use the MX record to 'redirect' email for client-domain.net to 
mail.server.com (for example) will work happily.


Indeed, as it has worked for decades.


However (referring to the OP's use case), won't the client (say a
Thunderbird user)



No, MUAs do not generally chase MX records. MX records exist to instruct 
MTAs on where to pass mail for non-local domains. MUAs use explicit 
names for MSAs, either by manual configuration or via automated config 
schemes like ACAP.



be presented with the LE certificate for server.com and
not one from his own "client-domain"?



This is not a problem. In the MTA-MTA case the sender has resolved a MX 
record to a name with an A record, which should be a valid subject name 
for the receiver's certificate. In the MUA-MSA case the client has an 
explicitly configured name which should be a valid subject name for the 
server's certificate OR should resolve to such a name via a CNAME 
record.



Such an appearance may cause confusion/distrust?



I've been managing SSL/TLS-capable mail systems for as long as that has 
been possible, using multiple versions of multiple MTA/MSA packages with 
clients of all sorts and I have never seen a client complain about a 
valid MSA certificate whose names include the one that the client has 
been configured to use. I have never seen a sending MTA  allow 
certificate name or trust chain issues to persistently impede delivery 
and only rarely to persistently force fallback to sending in the clear.



The reason these theoretical problems are not actual problems in the 
real world is that for many years the most common mode of using TLS for 
SMTP was with self-signed certificates (because that is in fact adequate 
without trustworthy DNS) and mail submission was commonly done over port 
25 just like transport. Because of that history, interoperability 
concerns have kept most mail software from being strict about 
certificate validity by default.



(and perhaps it should!)



Probably not in most cases for mail transport (i.e. governed by MX 
records) but it is already true that many client TLS implementations are 
not tolerant of some sorts of subject name mismatch for MSAs, which is 
as it should be.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steadier Work: https://linkedin.com/in/billcole























					Reply via email to