On Sun, Dec 11, 2022 at 04:20:25PM +0100, Matus UHLAR - fantomas wrote:
> On 10.12.22 16:48, Alex wrote:
> >I think I assumed there was a vulnerability, like there is with SSLv3, that
> >lead me to disable it.
At this point disabling SSLv3 is best-practice, there are no longer
sufficiently many servers that support only SSLv3 to warrant leaving the
additional potential "attack surface" enabled.
> >Can I also ask if it's a security risk from an information disclosure
> >perspective to have multiple domains on the same letsencrypt cert?
> >
> >Each postfix instance I have configured processes mail for a number of
> >different domains, so it's possible a user could ascertain info about those
> >other clients by querying the cert directly.
Yes, one could learn what other domains you support, but it is difficult
to hide public information through just obscurity:
http://viewdns.info/
Simplest and best to assign the *same* MX hostname to all the domains.
Just one name in the certificate is then sufficient, and there's no
"disclosure" via the certificate.
So whether you use one MX hostname or one per domain, a sufficiently
curious observer may still be able to discover the hosted domains.
--
Viktor.
