1

When Postfix is the destination for multiple domains, does it need a TLS cert for every one of them, or just for the domain in $myhostname?

That is to say, are there smtp clients out there who will check certs against the MX they used to look us up, or are they all smart enough to wait for 220 response and/or do reverse DNS, and check against that?

Is it even possible to receive the 220 without checking the certificate first?

But otherwise, is it even possible for Postfix to know what cert the client wants?

EDIT: Even if they do reverse DNS, if clients are willing to accept MX addresses that resolve to arbitrary domains, isn't that trivial to MITM? Or is the solution to never use a vanity MX if I want TLS?

yar
  • 3,045
  • 1
  • 15
  • 5
  • 1
    In my experience, very few mail servers actually attempt to verify the certificate of the server they're connecting to. Which makes this only "better than nothing" security. – Michael Hampton Nov 25 '13 at 17:07
  • Not to gainsay that, but in my experience, they do attempt to verify the certificate - they just don't stop sending mail if the certificate's unverifiable. Arguably, that's what I want: my logs tell me if any given connection is man-in-the-middle-proof, or not, but my mail always flows. I suspect that I could reconfigure the MTA to require TLS, or to require TLS+verification, but it'd be a less-useful mail server if I did so. – MadHatter Nov 25 '13 at 17:18
  • @MadHatter OK, well, true. They throw a warning in the log, and then proceed anyway. The end effect is the same. – Michael Hampton Nov 25 '13 at 17:26
  • I completely agree; I merely note that it's that way by design, and can often be configured to be different if that's what you want. – MadHatter Nov 25 '13 at 23:37

1 Answers1

1

For my money, the way to do this is to avoid vanity MX. It's close to meaningless, anyway - how many actual people ever get to see your MX record? Vanity domains are fine, but TLS will be simpler if you have the MX record in all cases be the CN embedded in the certificate.

MadHatter
  • 79,770
  • 20
  • 184
  • 232