5

I am trying to host two seperate domains on one IP address. I want to be able to determine from the STARTTLS command which certificate was being requested and forward to a different mail server based on the domain.

This doesn't seem to be possible from the RFCs, but is there any other way something like this can be achieved on the single IP address?

  • 1
    this also would not work because of how smtp is designed, the client does not request a 'host' but instead introduces itself, the server responds with options after ehlo phase. – Jacob Evans Jun 16 '17 at 22:22
  • I had a look at the RFC and I noticed that the response to the EHLO contains the domain. But it doesn't say that that domain is the only domain that the address is used for. The only way that I could do this was to force STARTTLS for any further commands, and to add a paramater to the STARTTLS that was the certificate. But STARTTLS doesn't take any arguments, and the client doesn't seem to check the name in the certificate? Is this correct or have I missed something. –  Jun 16 '17 at 22:58
  • Can you clarify the issue further? The certificate should be for the name of the mail server, right? Not the names of all the domains that the mail server may handle? – Håkan Lindqvist Jun 16 '17 at 23:32
  • I don't think that you should think of the mail server residing at the that IP address. At issue is here, is that I would like a way of performing the TLS handshake for a domain with a specific cert for that domain. eg. if I am sending email to a domain, I would like to know that I am sending email to that specific domain and that single IP address may have more than one certificate. I know that I could point domain1's cert to be mx.domain2 but I am not trying to achieve this. –  Jun 17 '17 at 02:50
  • What you are trying to achieve is both impossible and unnecessary. SMTP simply isn't designed for that. – Esa Jokinen Jun 17 '17 at 06:39
  • 2
    You need to be as specific as possible. Better questions get better answers, no many servers do not validate the SAN against the ehlo, some servers will only offer a certificate if the ehlo matches the CN/SANs (exchange for example). You can use checktls.com to test if the certificate matches under forced mutual tls conditions, most systems are opportunistic and accept self-signed certificates. – Jacob Evans Jun 17 '17 at 08:46
  • What OP was/is trying to achieve **is necessary** - each domain needs to be able to have its own separate private key and certificate. If there's no SNI-type way to do it, it fundamentally requires multiple IP addresses, which is really unfortunate. – R.. GitHub STOP HELPING ICE Oct 15 '19 at 00:46

3 Answers3

2

no, SMTP is designed to have the entire email communication path traced in the email and each connection would terminate and relay the email, you should use transport maps (for postfix) to control the destination by email address not MTA hostname.

If you are receiving email for both domains locally then your email server should handle that, if this single IP is forwarding email to two other servers internally, then transport maps are what you are looking for in terms of a postfix server.

If this is an outbound server relay (SMTPS), you would need to handle authentication for both domains at this server as you cannot "proxy" like you do with nginx/haproxy and SNI.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
2

According to the documentation, Postfix sends SNI information in the TLS handshake after STARTTLS command, at least in the case where TLSA records are published in DNS:

When usable TLSA records are obtained for the remote SMTP server the Postfix SMTP client sends the SNI TLS extension in its SSL client hello message. This may help the remote SMTP server live up to its promise to provide a certificate that matches its TLSA records.

I'm not sure if this is sufficient, but it suggests that SNI can and should be used with STARTTLS; if some senders are not doing this, I would consider them broken.

Further, this IETF draft specifies that SNI shall be used:

The client uses the DNSSEC validation status of the SRV query in its server certificate identity checks. (The TLSA validation status does not affect the server certificate identity checks.) It SHALL use the Server Name Indication extension (TLS SNI) or its functional equivalent in the relevant application protocol...

R.. GitHub STOP HELPING ICE
  • 707
  • 4
  • 14
1

You don't need SNI for this. Most MTAs support routing based on domain. For example postfix has a transport map. You'd make a map something like:

foo.com     smtp:[mail.foo.com]
bar.com     smtp:[mail.bar.com]
Mark Wagner
  • 17,764
  • 2
  • 30
  • 47
  • 3
    I don't need SNI and probably don't want SNI, but I do want to be able to use on IP address and multiple domains knowing that the email has been encrypted with the certificate that thte domain owner has specified for his domain. –  Jun 17 '17 at 06:29