On 12/16/2015 09:06 AM, Michael Storz wrote:
Am 2015-12-16 16:26, schrieb Alice Wonder:
But with port 25, certificate authorities do not matter, so an admin
running the same smtp server on multiple hostnames can generate a new
self-signed cert at no cost every time they add a domain that reso
Am 2015-12-16 16:26, schrieb Alice Wonder:
But with port 25, certificate authorities do not matter, so an admin
running the same smtp server on multiple hostnames can generate a new
self-signed cert at no cost every time they add a domain that resolves
to that IP address.
Thus even with multipl
On 12/16/2015 02:03 AM, Michael Storz wrote:
Am 2015-12-15 20:36, schrieb Viktor Dukhovni:
On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote:
So, we've managed to hold off on offering SNI support for a decade
since TLS was integrated into Postfix 2.2. I just wanted to see
whet
Am 2015-12-15 20:36, schrieb Viktor Dukhovni:
On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote:
So, we've managed to hold off on offering SNI support for a decade
since TLS was integrated into Postfix 2.2. I just wanted to see
whether anyone still wanted it in Postfix, but perha
Viktor Dukhovni:
> On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote:
>
> > So, we've managed to hold off on offering SNI support for a decade
> > since TLS was integrated into Postfix 2.2. I just wanted to see
> > whether anyone still wanted it in Postfix, but perhaps if they
> > r
On 12/15/2015 11:34 AM, Michael Ströder wrote:
Yes. It's your choice.
With DNSSEC I don't have a choice at all. It's a single root key controlled by
the entity which was the cause for RFC 7258 (besides the horrible key management
practice out in the wild). And frankly I don't trust anybody
On Mon, Dec 14, 2015 at 04:34:58PM +, Viktor Dukhovni wrote:
> So, we've managed to hold off on offering SNI support for a decade
> since TLS was integrated into Postfix 2.2. I just wanted to see
> whether anyone still wanted it in Postfix, but perhaps if they
> really did they've moved on to
Alice Wonder wrote:
> On 12/15/2015 07:40 AM, Michael Storz wrote:
>> Sorry for not writing it explicitly. In the case I described, you use
>> the domain of the recipient address, because this is the only
>> information you can trust (and this domain must be included in the SAN).
>> Since you have
Wietse Venema wrote:
> Wietse:
>> This session has multiple recipients, in different domains that
>> have the same MX host. Whose SNI [domain] shall be used?
>
> Michael Storz:
> [Examples that do not use SNI]
>
> Nice try, but that did not answer the question.
>
>> On the other side: if you do
On 12/15/2015 07:40 AM, Michael Storz wrote:
Sorry for not writing it explicitly. In the case I described, you use
the domain of the recipient address, because this is the only
information you can trust (and this domain must be included in the SAN).
Since you have more than one recipient doma
Am 2015-12-15 15:48, schrieb wie...@porcupine.org:
Wietse:
This session has multiple recipients, in different domains that
have the same MX host. Whose SNI [domain] shall be used?
Michael Storz:
[Examples that do not use SNI]
Nice try, but that did not answer the question.
On the other side
On Tue, Dec 15, 2015 at 10:12:56AM +0100, Michael Ströder wrote:
> SNI is a prerequisite for implementing something like [1] if a host is MX for
> more than one recipient domain.
>
> [1] https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs
I'll likely end up a coauthor on that draft one d
Wietse:
> This session has multiple recipients, in different domains that
> have the same MX host. Whose SNI [domain] shall be used?
Michael Storz:
[Examples that do not use SNI]
Nice try, but that did not answer the question.
> On the other side: if you do not want to use SNI
I have no problem
Am 2015-12-11 20:33, schrieb Viktor Dukhovni:
On Fri, Dec 11, 2015 at 11:50:40AM -0600, Brian Sebby wrote:
other.mail.server:smtp inetn - n - 0 smtpd
-o myhostname=other.mail.server
-o smtp_tls_cert_file=/path/to/certfile.pem
-o smtpd_t
Am 2015-12-15 12:22, schrieb wie...@porcupine.org:
Michael Str?der:
Sebastian Nielsen wrote:
> Yes.
> Its just a draft.
Everything starts with a draft.
> Which certificate should the server use for the encrypted transaction, even if
> we use SNI?
> emailservice1.com or emailservice2.com?
The
Michael Str?der:
> Sebastian Nielsen wrote:
> > Yes.
> > Its just a draft.
>
> Everything starts with a draft.
>
> > Which certificate should the server use for the encrypted transaction, even
> > if
> > we use SNI?
> > emailservice1.com or emailservice2.com?
>
> The recipient domain would be u
esday, December 15, 2015 10:51 AM
> To: Sebastian Nielsen ; postfix-users@postfix.org
> Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed]
>
> Sebastian Nielsen wrote:
>> The certificate is normally validated against the MX name, not recipient
>> dom
. To protect against modified MX data,
DNSSEC has to be used instead.
-Ursprungligt meddelande-
From: Michael Ströder
Sent: Tuesday, December 15, 2015 10:51 AM
To: Sebastian Nielsen ; postfix-users@postfix.org
Subject: Re: postfix and multiple TLS certificates (SNI support?) [Signed
Sebastian Nielsen wrote:
> The certificate is normally validated against the MX name, not recipient
> domain.
Did you read the referenced I-D before replying?
https://tools.ietf.org/html/draft-friedl-uta-smtp-mta-certs-00#section-4.1.4.1
Ciao, Michael.
> "Michael Ströder" skrev: (15 december
The certificate is normally validated against the MX name, not recipient domain.
Example:
emailservice1.com MX smtp1.example.org
emailservice2.com MX smtp1.example.org
Certificate is issued to smtp1.example.org
Also even if you use SNI, imagine you send a mail to a user at emailservice1
AND als
Viktor Dukhovni wrote:
> So, we've managed to hold off on offering SNI support for a decade
> since TLS was integrated into Postfix 2.2. I just wanted to see
> whether anyone still wanted it in Postfix, but perhaps if they
> really did they've moved on to other solutions.
SNI is a prerequisite fo
On Sun, 13 Dec 2015, Alice Wonder wrote:
A big negative to Thunderbird autoconfig - it looks for http before https
resulting in MITM vulnerability.
They say it is because hosting companies like godaddy don't want to have a
TLS cert for every e-mail domain.
I agree with both :-)
They should
Wietse Venema:
> Quanah Gibson-Mount:
> > --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema
> > wrote:
> >
> > > Viktor Dukhovni:
> > >> So, we've managed to hold off on offering SNI support for a decade
> > >> since TLS was integrated into Postfix 2.2. I just wanted to see
> > >> whe
--On Monday, December 14, 2015 6:03 PM + Viktor Dukhovni
wrote:
On Mon, Dec 14, 2015 at 09:36:33AM -0800, Quanah Gibson-Mount wrote:
Given nginx's complete disregard for RFC's (*) and unwillingness to
examine or fix issues related to the email proxy portion of their
product (IMAP, POP, S
Quanah Gibson-Mount:
> --On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema
> wrote:
>
> > Viktor Dukhovni:
> >> So, we've managed to hold off on offering SNI support for a decade
> >> since TLS was integrated into Postfix 2.2. I just wanted to see
> >> whether anyone still wanted it in
On Mon, Dec 14, 2015 at 09:36:33AM -0800, Quanah Gibson-Mount wrote:
> Given nginx's complete disregard for RFC's (*) and unwillingness to examine
> or fix issues related to the email proxy portion of their product (IMAP,
> POP, SMTP), I'd definitely avoid it. I.e., I would not recommend nginx as
--On Monday, December 14, 2015 12:07 PM -0500 Wietse Venema
wrote:
Viktor Dukhovni:
So, we've managed to hold off on offering SNI support for a decade
since TLS was integrated into Postfix 2.2. I just wanted to see
whether anyone still wanted it in Postfix, but perhaps if they
really did the
Viktor Dukhovni:
> So, we've managed to hold off on offering SNI support for a decade
> since TLS was integrated into Postfix 2.2. I just wanted to see
> whether anyone still wanted it in Postfix, but perhaps if they
> really did they've moved on to other solutions.
Would haproxy/nginx be an opti
On Mon, Dec 14, 2015 at 06:37:59AM -0500, Wietse Venema wrote:
> > Thanks for the moral support. I agree that SNI is not particularly
> > compelling for port 25. The strongest arguments for SNI that
> > I've seen are for port 587 submission, where there's no MX indirection,
> > users' MUAs have
Viktor Dukhovni:
> Thanks for the moral support. I agree that SNI is not particularly
> compelling for port 25. The more strongest arguments for SNI that
> I've seen are for port 587 submission, where there's no MX indirection,
> users' MUAs have statically configured SMTP servers.
And those cli
On 12/13/2015 11:55 AM, Dirk Stöcker wrote:
On Sat, 12 Dec 2015, Viktor Dukhovni wrote:
And SMTP has the big advantage, that you can define the name of the
host in
MX, so the name of the mail server can be independent from the domain
of the
email address.
Simply wait a bit longer and maybe t
On Sat, 12 Dec 2015, Viktor Dukhovni wrote:
And SMTP has the big advantage, that you can define the name of the host in
MX, so the name of the mail server can be independent from the domain of the
email address.
Simply wait a bit longer and maybe that issue solves itself :-)
Thanks for the mo
Dirk Stöcker wrote on 12/12/2015 13:26:
And SMTP has the big advantage, that you can define the name of the host in MX,
so the name of the mail server can be independent from the domain of the email
address.
I use this method.
Just one cert to manage/renew and no exotic configuration. KISS pr
On Sat, Dec 12, 2015 at 06:42:03AM -0800, Alice Wonder wrote:
> I do not want SNI to die but IMHO SNI is not for mail servers.
On Sat, Dec 12, 2015 at 01:26:06PM +0100, Dirk Stöcker wrote:
> And SMTP has the big advantage, that you can define the name of the host in
> MX, so the name of the mail
On 12/12/2015 04:26 AM, Dirk Stöcker wrote:
On Fri, 11 Dec 2015, Viktor Dukhovni wrote:
Over the years there have from time to time been requests for
server-side SNI support in Postfix, but most users have found
workable alternatives, such as above.
A key reason that SNI support is not there
On Fri, 11 Dec 2015, Viktor Dukhovni wrote:
Over the years there have from time to time been requests for
server-side SNI support in Postfix, but most users have found
workable alternatives, such as above.
A key reason that SNI support is not there yet, is that we like to
do things right(TM) in
On Fri, Dec 11, 2015 at 11:50:40AM -0600, Brian Sebby wrote:
> other.mail.server:smtpinetn - n - 0
> smtpd
> -o myhostname=other.mail.server
> -o smtp_tls_cert_file=/path/to/certfile.pem
> -o smtpd_tls_cert_file=/path/to/certfile.pem
>
This is what I do on a mail server that I set up to consolidate the functions
of several previous postfix servers.
In main.cf, I have it set up to listen on the primary IP address for the
server, and tell it to use the certificates for that primary hostname using
smtp_tls_cert_file, smtpd_tls_c
Hi,
I think it's possible based on master.cf, you could set specific doamin for a
smtp or submission and you set a specific TLS certificate in that process,
like we use for ehlo for a different IP and ehlo for a specific domain, but you
need testing it.
José RobertoE-mail: zep...@outlook.com
Hi,
thanks for Your feedback. I just solved my issue.
I will simply generate normal key and csr with openssl command. My local
certify authority will provide me certificate which will be signed with the
list of specified by me domains. Then we can have single certificate which
will be able to enc
On 11.12.2015 09:11, Zalezny Niezalezny wrote:
> is it possible to configure in Postfix multiple TLS certificates.
AFAIK, you can configure each smtp and smtpd instance with a certificate
of its own, so you could, for instance, have several smtpds listening on
different IP addresses, each with an
41 matches
Mail list logo
