• 9

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Does Postfix need a TLS cert for every destination domain?

When Postfix is the destination for multiple domains, does it need a TLS cert for every one of them, or just for the domain in $myhostname?

That is to say, are there smtp clients out there who will check certs against the MX they used to look us up, or are they all smart enough to wait for 220 response and/or do reverse DNS, and check against that?

Is it even possible to receive the 220 without checking the certificate first?

But otherwise, is it even possible for Postfix to know what cert the client wants?

EDIT: Even if they do reverse DNS, if clients are willing to accept MX addresses that resolve to arbitrary domains, isn't that trivial to MITM? Or is the solution to never use a vanity MX if I want TLS?

      • 1
    • In my experience, very few mail servers actually attempt to verify the certificate of the server they're connecting to. Which makes this only "better than nothing" security.
      • 1
    • Not to gainsay that, but in my experience, they do attempt to verify the certificate - they just don't stop sending mail if the certificate's unverifiable. Arguably, that's what I want: my logs tell me if any given connection is man-in-the-middle-proof, or not, but my mail always flows. I suspect that I could reconfigure the MTA to require TLS, or to require TLS+verification, but it'd be a less-useful mail server if I did so.
      • 2
    • @MadHatter OK, well, true. They throw a warning in the log, and then proceed anyway. The end effect is the same.
    • I completely agree; I merely note that it's that way by design, and can often be configured to be different if that's what you want.

For my money, the way to do this is to avoid vanity MX. It's close to meaningless, anyway - how many actual people ever get to see your MX record? Vanity domains are fine, but TLS will be simpler if you have the MX record in all cases be the CN embedded in the certificate.

  • 1
Reply Report

Trending Tags