On Thu, Oct 29, 2020 at 05:50:53PM +0100, Bernardo Reino wrote:
> If I understand you correctly you have a number of virtual domains being
> handled
> by one single postfix instance, at your mail.server.ch, i.e. mail.server.ch
> is
> the MX for your "little" domains.
>
> In that case, you only need to have a SSL certificate for mail.server.ch, as
> this is the server other servers will talk to when sending mail.
Correct.
- The content of TLS certificates in SMTP is by default simply ignored,
MX-to-MX STARTTLS is unauthenticated, protecting only against passive
monitoring, not active MiTM attacks. Therefore, it mostly makes no
difference what names you have in your certificate, it is just a key
container.
- A small number of senders fail to implement unauthenticated opportunistic
TLS correctly, and do insist on a matching name, falling back to
cleartext (this is idiotic, cleartext is NOT safer than an unvalidated
certificate) when the certificate fails to validate. These tend to
expect to find the MX hostname in the certificate.
- If you have business partners with which you've made mutual
arrangements to implement mandatory TLS between their domains and
yours, the certificate should have in it whatever you've agreed
with the business partners as what they can expect to find and
validate. Here, Postfix, for example, when acting as the sending MTA,
can support matching either the MX hostname or the nexthop domain
(domain part of recipient addres) or just some explict
destination-specific name.
- With DANE TLS, and DANE-TA(2) TLSA records, the certificate must
match the "TLSA base domain", which is almost always just the MX
hostname. The only exception is when that hostname is a CNAME that
ultimately resolves (DNSSEC-validated at every step) to a non-CNAME
target name, with TLSA records published at _25._tcp.<target_name>.
In that case the "TLSA base domain" is the target name of the CNAME
alias chain.
- With MTA-STS, (if you've provisioned that) the certificate must match
the MX hostname.
So in most cases the certificate should have the MX hostname as one
of its DNS names, but there are other, less common, possibilities.
--
Viktor.
