0

CentOS 5 | SendMail

Can TLS certificates be shared between multiple sendmail MTAs? I'm using a CA-signed cert and would prefer to not purchase new certs for each additional sendmail host.

Mike B
  • 11,871
  • 42
  • 107
  • 168

2 Answers2

1

Certificates can always be shared between different hosts; as long as you have their private keys, you can always copy them to other servers (otherwise, how could you rebuild a server in a disaster recovery scenario?).

This is quite common f.e. for load balanced web servers; SMTP with TLS is in no way different from that.

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Without a load balancer in front of the servers, he will be getting a name mismatch between the certificate name and the different host names, so that won't work. – Nasko Aug 20 '10 at 17:01
  • 1
    Not if the services use the same name at the application level, regardless of the actual host name; this is also common practice for web servers, and MTAs can do the same (in HELO/EHLO). – Massimo Aug 21 '10 at 01:33
  • Web server with different host name will give error if it doesn't match the cert, so without load balancer or similar device in front of multiple servers with different host names, I don't see how it will work. You could use round robin DNS, but then all servers will appear with the same hostname, so no issue there. – Nasko Aug 23 '10 at 20:42
1

Most likely not, if your certificate is not wildcard one (has * in the host name). I assume your hosts are actually named differently, right?

The only way I can think of will be able to use it is to terminate TLS on a load balancer put in front of the multiple sendmail hosts.

Of course all of the above is predicated on the clients doing real verification on the certificate. If they ignore the name mismatch issue, then you can use it without a problem, but it will get you no real security, as MiTM can intercept such connections.

Nasko
  • 727
  • 3
  • 5
  • The hosts are named differently, yet. Could I tell sendmail to use the same name in the EHLO greeting and certificate exchange though? – Mike B Aug 20 '10 at 18:43