On 11/08/2014 04:29 AM, Viktor Dukhovni wrote:
> In Postfix side, we'd probably need a key + chain database to
> support SNI, I don't think it is wise to expose keypairs to
> post-chroot privilege-reduced SMTP servers, or to have tlsmgr(8)
> proxy access to keypairs for such servers.
You've consid
On Sat, Nov 08, 2014 at 12:05:05PM +1300, Peter wrote:
> On 11/08/2014 04:29 AM, Viktor Dukhovni wrote:
> > In Postfix side, we'd probably need a key + chain database to
> > support SNI, I don't think it is wise to expose keypairs to
> > post-chroot privilege-reduced SMTP servers, or to have tlsmg
On 11/08/2014 12:16 PM, Viktor Dukhovni wrote:
>> One thing to consider here is that a user might have the same chain
>> (with the exception of the final cert) for most, or all of his certs.
>> As an example, say I get rapidssl certs for all 10 of my domains. The
>> current rapidssl chain is four
li...@rhsoft.net wrote:
> Am 07.11.2014 um 19:19 schrieb Michael Ströder:
>> So ask yourself:
>> If everybody uses the same sort of crappy registration interfaces for their
>> DNS entries while simply auto-signing DNS zone entries. Is there a real
>> chance
>> to achieve the goal?
>
> does everyb
On Fri, Nov 07, 2014 at 07:03:06PM +0100, li...@rhsoft.net wrote:
> >And personally I strongly dislike the DNSSEC auto-signing people usually
> >implement in their DNS servers
>
> how else do you imagine to maintain ...
I chose strategic silence in response to that question (which leads
us furth
l
summary: you argue completly weird
"TLS SNI support" was your subject
if you now say "boah autosigning and DANE is problem" that has *nothing*
to do with the topic and if then that even your "TLS SNI" would be
worthless without dnssec - see line 1 of my response
Am 07.11.2014 um 19:19 schrieb Michael Ströder:
li...@rhsoft.net wrote:
Am 07.11.2014 um 18:22 schrieb Michael Ströder:
Viktor Dukhovni wrote:
The rationale for the DANE work is in:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
I've already read/analyzed a
li...@rhsoft.net wrote:
> Am 07.11.2014 um 18:22 schrieb Michael Ströder:
>> Viktor Dukhovni wrote:
>>> The rationale for the DANE work is in:
>>>
>>>
>>> http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
>>
>> I've already read/analyzed all DANE related RFCs and almost
Am 07.11.2014 um 18:22 schrieb Michael Ströder:
Viktor Dukhovni wrote:
The rationale for the DANE work is in:
http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
I've already read/analyzed all DANE related RFCs and almost all drafts in
detail. Also some IETF presen
Viktor Dukhovni wrote:
> The rationale for the DANE work is in:
>
> http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-13#section-1.3
I've already read/analyzed all DANE related RFCs and almost all drafts in
detail. Also some IETF presentation slides.
As already mentioned on the IETF
On Fri, Nov 07, 2014 at 05:55:08PM +0100, Michael Str?der wrote:
> > For the latter see the DANE draft.
>
> Of course you personally prefer DANE. That's understable given all the high
> quality work you put into the I-Ds and implementation.
Cause and effect reversal. I put all the hard work in,
Viktor Dukhovni wrote:
> On Fri, Nov 07, 2014 at 09:36:12AM +0100, Michael Str?der wrote:
>
>> li...@rhsoft.net wrote:
>>> until now nobody was able to tell me any benefit of multiple server names
>>> for
>>> a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the
>>> A-record
>>>
On Fri, Nov 07, 2014 at 06:33:45PM +0200, Sven K?hler wrote:
> Don't make this about MTA to MTA communication. I did not and will not
> ask for SNI on Port 25. I am asking, however, for SNI on Port 587
> (submission).
Yes, that use-case is legitimate. It is not yet supported,
work-arounds includ
li...@rhsoft.net wrote:
>
> Am 07.11.2014 um 09:36 schrieb Michael Ströder:
>> li...@rhsoft.net wrote:
>>> until now nobody was able to tell me any benefit of multiple server names
>>> for
>>> a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the
>>> A-record
>>> and HELO name wi
Am 07.11.2014 um 03:50 schrieb Viktor Dukhovni:
> On Thu, Nov 06, 2014 at 08:37:14PM -0500, Wietse Venema wrote:
>
>> Postfix gets the client-specified servername with SSL_get_servername(),
>> and then it uses the SSL_CTX for that servername.
>
> I think SNI-based virtual hosting stinks, and I'd
On Fri, Nov 07, 2014 at 10:48:47AM -0500, Wietse Venema wrote:
> Example: merging existing submission servers mail.example.com and
> mail.example.net. Why require that the administrator acquire a new
> combined certificate? Why require that the administrator acquire
> multiple IP addresses? Why re
DTNX Postmaster:
> On 07 Nov 2014, at 16:06, Wietse Venema wrote:
>
> > If real people have a need for SNI, what right do we have to tell
> > them to fuck off because they live in an imperfect world?
> >
> > Wietse
>
> Wouldn't it be prudent for that need to be demonstrated, though?
>
> So
On Fri, Nov 07, 2014 at 10:06:21AM -0500, Wietse Venema wrote:
> If real people have a need for SNI, what right do we have to tell
> them to fuck off because they live in an imperfect world?
The server-side SNI support in OpenSSL is currently a mess, it
muddles along, but enabling SNI leads to so
On 07 Nov 2014, at 16:06, Wietse Venema wrote:
> If real people have a need for SNI, what right do we have to tell
> them to fuck off because they live in an imperfect world?
>
> Wietse
Wouldn't it be prudent for that need to be demonstrated, though?
So far, every time this comes up for
Viktor Dukhovni:
> On Fri, Nov 07, 2014 at 09:36:12AM +0100, Michael Str?der wrote:
>
> > li...@rhsoft.net wrote:
> > > until now nobody was able to tell me any benefit of multiple server names
> > > for
> > > a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the
> > > A-record
>
On Fri, Nov 07, 2014 at 09:36:12AM +0100, Michael Str?der wrote:
> li...@rhsoft.net wrote:
> > until now nobody was able to tell me any benefit of multiple server names
> > for
> > a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the
> > A-record
> > and HELO name with 100, 200,
On Fri, Nov 07, 2014 at 09:49:33AM +0100, lst_ho...@kwsoft.de wrote:
> >Ciao, Michael.
>
> http://www.postfix.org/TLS_README.html#client_tls_dane
>
> Doesn't need SNI either...
Does not *need* it in most designs, because hosting can and should
use DANE-EE(3) TLSA RRs which skip certificate name
Am 07.11.2014 um 10:03 schrieb Michael Ströder:
lst_ho...@kwsoft.de wrote
Zitat von Michael Ströder :
Peter wrote:
It's pointless for MX hosts because they don't validate the certificate
anyways.
Which has to be changed.
http://www.postfix.org/TLS_README.html#client_tls_dane
But it nee
lst_ho...@kwsoft.de wrote
> Zitat von Michael Ströder :
>
> > Peter wrote:
> >> It's pointless for MX hosts because they don't validate the certificate
> >> anyways.
> >
> > Which has to be changed.
>
> http://www.postfix.org/TLS_README.html#client_tls_dane
But it needs securely operated DNSSEC.
Zitat von li...@rhsoft.net:
Am 07.11.2014 um 09:35 schrieb Michael Ströder:
Peter wrote:
It's pointless for MX hosts because they don't validate the certificate
anyways.
Which has to be changed
Google: DANE and Viktors recent response in that thread
don't require SNI
my god the reason f
Zitat von Michael Ströder :
Peter wrote:
It's pointless for MX hosts because they don't validate the certificate
anyways.
Which has to be changed.
Ciao, Michael.
http://www.postfix.org/TLS_README.html#client_tls_dane
Doesn't need SNI either...
Regards
Andreas
smime.p7s
Description
Am 07.11.2014 um 09:35 schrieb Michael Ströder:
Peter wrote:
It's pointless for MX hosts because they don't validate the certificate
anyways.
Which has to be changed
Google: DANE and Viktors recent response in that thread
don't require SNI
my god the reason for SNI is that with pure TLS t
Am 07.11.2014 um 09:36 schrieb Michael Ströder:
li...@rhsoft.net wrote:
until now nobody was able to tell me any benefit of multiple server names for
a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the A-record
and HELO name with 100, 200, 300, 500 MX records in different doma
li...@rhsoft.net wrote:
> until now nobody was able to tell me any benefit of multiple server names for
> a mailserver instead 1 hostname, 1 certificate and 1 PTR matching the A-record
> and HELO name with 100, 200, 300, 500 MX records in different domains pointing
> there
https://tools.ietf.org/h
Peter wrote:
> It's pointless for MX hosts because they don't validate the certificate
> anyways.
Which has to be changed.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
On Fri, Nov 07, 2014 at 07:58:03AM +0100, DTNX Postmaster wrote:
> Anyway, do you have an example of a legitimate need for SNI, one that
> cannot be addressed by using a multi-domain certificate, adding extra
> IP addresses and splitting it that way, or using Victor's port example?
I think the
On 07 Nov 2014, at 07:28, Peter wrote:
>> and it is smart do it that way
>>
>> other than for webservers you have not different contents for different
>> hostnames but mandatory user authentication - so why waste time and
>> money dealing with different hostnames and certificates?
>
> I underst
Am 07.11.2014 um 07:44 schrieb li...@rhsoft.net:
Am 07.11.2014 um 07:28 schrieb Peter:
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
and it is smart do it that way
other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why wa
Am 07.11.2014 um 07:28 schrieb Peter:
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
and it is smart do it that way
other than for webservers you have not different contents for different
hostnames but mandatory user authentication - so why waste time and
money dealing with different hostname
On 11/07/2014 07:11 PM, li...@rhsoft.net wrote:
> and it is smart do it that way
>
> other than for webservers you have not different contents for different
> hostnames but mandatory user authentication - so why waste time and
> money dealing with different hostnames and certificates?
I understan
On 07 Nov 2014, at 01:13, Sven Köhler wrote:
> Am 07.11.2014 um 01:54 schrieb Viktor Dukhovni:
>> There are at present no plans for server-side SNI support in Postfix.
>
> It's disappointing to hear that.
>
>> OpenSSL does not even implement server-side SNI completely correctly
>> as yet.
>
>
Am 07.11.2014 um 02:52 schrieb Peter:
On 11/07/2014 11:35 AM, Sven Köhler wrote:
I don't have the option to buy one IP per hostname that I want to
support. As we all know, IPv4 addresses are expensive as they are not
many of them left.
The current best practice method in dealing with this is
On 07 Nov 2014, at 04:02, Peter wrote:
>> Mind you, hosting of submission servers across organizational
>> boundaries, typically means rather unnatural sharing of private
>> keys, while hosting within a single organization, is perhaps poor
>> planning, since a single MSA hostname could have been
On 11/07/2014 02:50 PM, Viktor Dukhovni wrote:
> I think SNI-based virtual hosting stinks, and I'd hate to encourage
> its use. Particularly for MX hosts it is FAR more sensible to just
> use a fixed MX hostname for multiple domains.
It's pointless for MX hosts because they don't validate the cer
On 11/07/2014 11:35 AM, Sven Köhler wrote:
> I don't have the option to buy one IP per hostname that I want to
> support. As we all know, IPv4 addresses are expensive as they are not
> many of them left.
The current best practice method in dealing with this is is you just
have one hostname for sub
On Fri, Nov 07, 2014 at 02:13:17AM +0200, Sven K?hler wrote:
> Just out of interest: do you know a link that explains the details of
> how OpenSSL is broken?
>
> I'm running Apache with mod_ssl and SNI seems to work fine.
The problems are somewhat subtle, and may not be seen in simpler
cases. H
On Thu, Nov 06, 2014 at 08:37:14PM -0500, Wietse Venema wrote:
> Postfix gets the client-specified servername with SSL_get_servername(),
> and then it uses the SSL_CTX for that servername.
I think SNI-based virtual hosting stinks, and I'd hate to encourage
its use. Particularly for MX hosts it i
Peter:
> On 11/07/2014 01:28 PM, Wietse Venema wrote:
> > What stops us from implementing SNI? Looking at some on-line
> > posts, this involes one SSL_CTX per certificate and one call-back
> > that looks up the desired server name with SSL_get_servername()
> > and that sets the corresponding contex
On 11/07/2014 01:28 PM, Wietse Venema wrote:
> What stops us from implementing SNI? Looking at some on-line
> posts, this involes one SSL_CTX per certificate and one call-back
> that looks up the desired server name with SSL_get_servername()
> and that sets the corresponding context with SSL_set_SS
Viktor Dukhovni:
> There are at present no plans for server-side SNI support in Postfix.
> OpenSSL does not even implement server-side SNI completely correctly
> as yet.
What stops us from implementing SNI? Looking at some on-line
posts, this involes one SSL_CTX per certificate and one call-back
t
Am 07.11.2014 um 01:54 schrieb Viktor Dukhovni:
> There are at present no plans for server-side SNI support in Postfix.
It's disappointing to hear that.
> OpenSSL does not even implement server-side SNI completely correctly
> as yet.
Just out of interest: do you know a link that explains the det
On Fri, Nov 07, 2014 at 12:35:01AM +0200, Sven K?hler wrote:
> I'd like to use Thunderbird (which seems to support SNI) together with
> Postfix on port 587 (submission only) and I'd like Postfix to choose
> from several (below 10) certificates based on the indicated server name.
>
> I don't have
On 06 Nov 2014, at 23:35, Sven Köhler wrote:
> Hi,
>
> does PostFix support TLS SNI (server name indication) now? I have found
> some discussion, mostly saying that it might be implemented, but there
> were several issues:
>
> 1) Mail clients don't seems to support it.
> 2) Other MTAs don't see
Hi,
does PostFix support TLS SNI (server name indication) now? I have found
some discussion, mostly saying that it might be implemented, but there
were several issues:
1) Mail clients don't seems to support it.
2) Other MTAs don't seem to support it.
3) There are no standards concerning SNI for M
On Mon, May 07, 2012 at 06:52:44AM -0700, Fiona Hines wrote:
> I understand now what you are referring to but you were assuming
> that I was using STARTTLS, which was my mistake for not mentioning
> it.? I'm not using STARTTLS.? The connection is encrypted from the
> beginning of the transaction.?
Am 07.05.2012 16:17, schrieb Bernhard Schmidt:
> It is in use, but not very broadly. I don't have that many users on this
> postfix instance, maybe someone with some more traffic can run a statistic.
Oops, I have to exclude our monitoring connection, then almost all MUAs
send SNI. The only remain
Am 07.05.2012 12:52, schrieb Wietse Venema:
> Fiona Hines:
>> How do I get TLS SNI support in Postfix?? I can't find any
>> documentation on the subject except a few discussions that are
>> several years old.? I've got TLS working with one domain but I
>> want
On May 7, 2012, at 15:52, Fiona Hines wrote:
> I understand now what you are referring to but you were assuming that I was
> using STARTTLS, which was my mistake for not mentioning it. I'm not using
> STARTTLS. The connection is encrypted from the beginning of the transaction.
> STARTTLS was
Fiona Hines:
> I understand now what you are referring to but you were assuming
> that I was using STARTTLS, which was my mistake for not mentioning
> it.? I'm not using STARTTLS.? The connection is encrypted from the
> beginning of the transaction.?
Let's do one step back.
Web clients/servers i
cause SNI didn't
exist. SNI still isn't perfect but it allows for the encryption of the
connection to take place sooner for a variety of domains.
- Fiona
From: Peter
To: postfix-users@postfix.org
Sent: Monday, May 7, 2012 12:02 AM
Subject: Re:
it too if, for no other reason, for completeness. Mail clients tend to follow
servers, not the other way around.
- Fiona
From: Viktor Dukhovni
To: postfix-users@postfix.org
Sent: Monday, May 7, 2012 12:05 AM
Subject: Re: TLS SNI support?
On Sun, May 0
Fiona Hines:
> How do I get TLS SNI support in Postfix?? I can't find any
> documentation on the subject except a few discussions that are
> several years old.? I've got TLS working with one domain but I
> want to expand it to an unknown number of domains and I don'
On Sun, May 06, 2012 at 11:46:45PM -0700, Fiona Hines wrote:
> That won't work for me.? SNI support is the only solution for my
> scenario since I can't use just one SSL certificate. I haven't used
> Google Apps to know what you are talking about.
Postfix has no SNI support. Effort >> benefit.
W
On 07/05/12 18:46, Fiona Hines wrote:
> That won't work for me. SNI support is the only solution for my
> scenario sinceI can't use just one SSL certificate. I haven't used
> Google Apps to know what you are talking about.
I used google apps as an example of a provider that services what
probabl
t: Sunday, May 6, 2012 8:14 PM
Subject: Re: TLS SNI support?
On 07/05/12 14:21, Fiona Hines wrote:
> How do I get TLS SNI support in Postfix? I can't find any documentation
> on the subject except a few discussions that are several years old.
> I've got TLS working with o
On 07/05/12 14:21, Fiona Hines wrote:
> How do I get TLS SNI support in Postfix? I can't find any documentation
> on the subject except a few discussions that are several years old.
> I've got TLS working with one domain but I want to expand it to an
> unknown number of do
How do I get TLS SNI support in Postfix? I can't find any documentation on the
subject except a few discussions that are several years old. I've got TLS
working with one domain but I want to expand it to an unknown number of domains
and I don't care if the mail client lacks
62 matches
Mail list logo
