8

As we're aware postfix doesn't support SNI (Server Name Indication), which means that if you'd define a certificate, it will be used for all domain names that you have on that server, which could be bad for people not willing to pay big bucks to purchase fancy certificates. Postfix states on their website that they have no plans to implement SNI.

I have my mail server configured with Dovecot and Postfix. I would like to replace postfix with something that supports SNI and compatible with Dovecot (or at least accepts the same username/password database scheme from Dovecot).

Could you please tell me what alternatives to postfix exist that fulfill these conditions (preferably open source).

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
The Quantum Physicist
  • 656
  • 2
  • 11
  • 25
  • Can you explain the scenario where a single certificate for a single name would not suffice in the context of smtps? I think that scenario is unclear at best and I would assume this is the reason why it's not supported. – Håkan Lindqvist Nov 27 '14 at 20:50
  • 1
    Hi, why do you need SNI support for your smtpd? The only thing that needs to match for ssl verification is the CN on the ssl cert matches the banner hostname. SSL certificates are so ridiculously cheap now-a-days (<50 USD/year) I find your argument is hard to accept. – Andrew Domaszek Nov 27 '14 at 20:51
  • Further, your reverse DNS ptr must match your banner hostname for many mail services to not reject you outright as a spammer. – Andrew Domaszek Nov 27 '14 at 21:06
  • @HåkanLindqvist Thank you for your response. A single certificate for a single name (domain) is fine. But I have a server that runs multiple domains. – The Quantum Physicist Nov 27 '14 at 21:20
  • @AndrewDomaszek Thank you for your response. I need my smtp connection to be encrypted for security, but I don't want e-mail clients to complain about certificates. – The Quantum Physicist Nov 27 '14 at 21:21
  • 2
    @TheQuantumPhysicist But for smtp w/ TLS the certificate would be for the *mail server name*, not all domain names that the mail server deals with. – Håkan Lindqvist Nov 27 '14 at 21:21
  • @HåkanLindqvist Maybe it's my ignorance that's making me look for a strange solution to someone well-informed like you. Let me try to explain the situation: I have a mail server, which can be reached with two domains mail.mydomain.com and mail.mydomain2.com. How do I secure those connections without having certificates problems? Please explain. – The Quantum Physicist Nov 27 '14 at 22:01
  • 1
    @TheQuantumPhysicist http://serverfault.com/questions/389413/what-host-name-should-the-ssl-certificate-for-an-smtp-server-contain seems to cover this subject – Håkan Lindqvist Nov 27 '14 at 22:04
  • @HåkanLindqvist Lemme try to understand the siutaion after reading your comments and reading the article in the link there. When you say the *mail server name*, you mean the mx record of the domain. So if I got to thunderbird and write that I want my smtp server to be mail.myweb.com:25, it will completely ignore this information for the certificate, and will only use the myweb.com's mx record and confirm the certificate with that. Is that right? – The Quantum Physicist Nov 28 '14 at 16:24

1 Answers1

8

If you already know all the FQDN's you are going to need, buy a SAN-certificate.

If you need to be flexible with you certificates you can try and setup a nginx smtp proxy. I looked at the documentation and from the looks it should support SNI but it's not going to be an easy setup I think: http://nginx.org/en/docs/mail/ngx_mail_ssl_module.html

1st update:
two links that might help you:
http://citrin.ru/nginx:ngx_mail_core_module
http://wiki.nginx.org/MailCoreModule

2nd update:
As of 2016 you can easily get SAN certificates from the Let's Encrypt Project for free.

I strongly suggest, you get yourself a SAN certificate and include all the FQDN you need for your service in that one certificate. Currently you can include as many as 100 subject alternative names per certificate.

r_3
  • 886
  • 5
  • 9
  • nginx is a good idea but it's not for free, is it? – The Quantum Physicist Nov 28 '14 at 16:02
  • 1
    nginx is free, see: http://nginx.org/LICENSE – r_3 Nov 28 '14 at 17:17
  • What exactly is the purpose of your endeavour? Do you need multiple FQDN's for your clients being able to connecting securely to different hostnames or for the smtpd delivering it? – r_3 Dec 01 '14 at 15:54
  • Yes! I have multiple domains and I want my clients not to hear certificate complaints when sending e-mails. – The Quantum Physicist Dec 02 '14 at 19:19
  • Do your clients really need to use their domain when delivering mail to the MTA? To my knowledge there is no reason why not to buy one cheap certificate for a FQDN unrelated to any of your customers. For delivery the RFC's state that **any** certificate should be accepted because even the lack of STARTTLS should not cause your mail to bounce. So the only reason that remains is your customers really wanting to use their domain in the settings of their client. Something once set up, never shows up again. – r_3 Dec 02 '14 at 22:47
  • Yes, my clients need to use their domain. I'm avoiding purchasing certificates because I'm looking for the most economical solution right now. I still will try nginx and see if it helps, but I'm over swamped with stuff to do right now and I had a time window of doing this when I wrote the post. – The Quantum Physicist Dec 03 '14 at 08:38
  • Hi there again. Could you please assist me in configuring nginx for mail smtp reverse proxy? I've been working on this for days and I there are things I don't understand that are not explained in any tutorial. Thanks. – The Quantum Physicist May 08 '16 at 20:01
  • I've updated the answer. – r_3 May 10 '16 at 17:35