Paul,
No, I was confused. :-) Thanks for helping me to get back on track.
As ChrisP pointed out, outbound SMTP over SSL doesn't use a certificate on the sending side, there is simply no need. Hence no way to assign a certificate to an outbound connection.
Now I just need to make sure I understand how to bind outbound SMTP to certain IPs for certain client domains, with a specific HELO domain per IP. (For vanity reasons, and also to partition clients from one another if one of them gets on an RBL for sending spam, e. g. due to a compromise.) I think this is documented, as I've outlined below.
Best,
Chris
Am 26.07.2013 um 05:15 schrieb "Paul M. Beck" HIDDEN@bexx.com>:
> Chris,
>
> I could be a bit confused here as to what you're doing.
>
> For my mx's there is only 1 ssl per ip, tho some allow for wild cards.
> I only use one A record. No cnames (ie imap.domain, pop.domian, etc)
>
> For smtp, to my knowledge it is preferred to have matching forward and reverse lookups, so there is only 1 outbound map per non stacked domain/ip.
>
> None of my stacked domains use their own ssl's as the ip has forward and reverse dns for the main domain on that ip, hence stacking.
>
> By default (I think) SurgeMail uses the ip for the main or stacked domain for outbound smtp
>
> Paul
>
> On Jul 25, 2013, at 6:43 PM, Chris Ferebee HIDDEN@ebee.net> wrote:
>
>> Great, it sounds like everything should work (in theory) as expected for incoming SSL connections.
>>
>> Now, for outbound SMTP…
>>
>> Ideally, each of several client companies I host on my SurgeMail server would use a unique IP for all communication (inbound and outbound) with its own SSL certificate, and would announce its own HELO domain. It looks like I need the following:
>>
>> g_bind_from "TRUE"
>> g_send_helo_from "TRUE"
>> send_helo "mail.company-x.com" (set to the same value for all domains on this IP)
>>
>> It's my understanding that using different HELO domains from a single IP - which g_send_helo_from does by default - is not a good idea and can result in blacklisting by some RBLs.
>>
>> OTOH, if I set the "send_helo" parameter to the same value for all domains on one IP, that should not be an issue - correct? I would simply be announcing the canonical A record of the client's assigned SurgeMail IP.
>>
>> Now, if I try to use SSL for outbound SMTP when possible, using
>>
>> g_ssl_allow "*"
>> g_ssl_try_out "*"
>>
>> will SurgeMail find the correct certificate to use based on the above HELO setup, from the various certificates stored as discussed below?
>>
>> Best,
>> Chris
>>
>> Am 26.07.2013 um 00:00 schrieb Surgemail Support (Marijn) <surgemailHIDDEN@t@netwinsite.com>:
>>
>>> On Friday 26/07/2013 at 8:08 am, Chris Ferebee wrote:
>>>> Thanks, Paul, for the details you sent off-list, which gave me something more to go on.
>>>>
>>>> I've also discovered that if you turn on g_ssl_per_domain, SurgeMail will create subdirectories surgemail/ssl/domain.com, initially with self-signed certificates.
>>>
>>> Indeed. Yes not being aware of this would confuse matters indeed ;-)
>>>>
>>>> Perhaps this would work:
>>>>
>>>> domains A, B, C on IP-1 (using Virtual Domain IP setting)
>>>> domains D, E, F on IP-2 (using Virtual Domain IP setting)
>>>> certificate with SANs A, B, C placed in each of the directories surgemail/ssl/A, /B, /C
>>>> certificate with SANs D, E, F placed in each of the directories surgemail/ssl/D, /E, /F
>>>>
>>>> Marijn?
>>> Yes I would expect that to work.
>>>
>>> There is nothing stopping you putting the same certificate in multiple ssl subdirectories, provided the SSL certificate will match the resolved hostname to the client. And it sounds like SAN certificates allow you to place multiple certs per file.
>>>
>>> In terms of domain identification, if you are not using SNI then all surgemail has available for domain identification (ie when deciding to serve the certificate) is the ip address connected on. So in the above scenario (if not using SNI) you would I believe in practise actually be serving the SSL certificate for A,B,C from surgemail/ssl/A (or whichever it finds first), and for D,E,F from the same single location eg surgemail/ssl/D
>>>
>>> But that is fine if the certificate file served matches the hostname users connect on for all three domains in question.
>>>
>>> Marijn
>>>
>>>
>>>
>>>>
>>>>
>>>> I'll have to experiment.
>>>>
>>>> Chris
>>>>
>>>>
>>>>> On Jul 25, 2013, at 4:59 AM, Chris Ferebee HIDDEN@ebee.net> wrote:
>>>>>
>>>>>> Paul,
>>>>>>
>>>>>> If you could detail your configuration, that would be great. Specifically, I don't think I understand how to configure multiple IP addresses with a different certificate for each IP (spanning multiple domains with each certificate using SANs) and multiple virtual domains per IP.
>>>>>>
>>>>>> Thanks,
>>>>>> Chris
>>>>>>
>>>>>> Am 25.07.2013 um 04:02 schrieb "Paul M. Beck" HIDDEN@bexx.com>:
>>>>>>
>>>>>>> I have a server running 4 unique domains with unique ip's, all with ssl. 2 domains have multiple sites stacked on them.
>>>>>>>
>>>>>>> I have successfully used a wild card domain for shortcut implementations likeclientdomain.mydomain.net
>>>>>>>
>>>>>>> I can give you config information if you wish
>>>>>>>
>>>>>>> Paul
>>>>>>>
>>>>>>> On Jul 24, 2013, at 8:00 PM, Surgemail Support (Marijn) <surgemailHIDDEN@t@netwinsite.com> wrote:
>>>>>>>
>>>>>>>> OK it does sound like the multiple domains per certificate would be ideal to use say one certificate for:
>>>>>>>> domain.com, mail.domain.com and even maybe imap.domain.com
>>>>>>>> but at the same time I've not had that running myself and sound like others have had issues. Having said that I'm sure I have had positive reports of users having it working fine under surgemail.
>>>>>>>>
>>>>>>>> As to SNI, no I'm not aware of mail client coverage - as you say - it is bound not to cover many older clients. Google does not seem to be giving me any definite answers on the matter either.
>>>>>>>>
>>>>>>>> Marijn
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Thursday 25/07/2013 at 12:12 pm, Chris Ferebee wrote:
>>>>>>>>> Hmm, very interesting. It seems the implementation has outstripped the documentation. :-)
>>>>>>>>>
>>>>>>>>> FYI, "UCC" means "Unified Communication Certificate" and is just another name for a multi-domain certificate, i. e. a certificate that lists multiple domains as SANs (Subject Alternate Names). Many certificate authorities sell UCCs. StartCom ("StartSSL.com") is interesting because once you have validated your identity for a one-time fee, you can then generate any number of certificates, including UCCs, during a 1-year period, at no extra charge. However, all domains on one UCC must be validated to the same entity, as StartCom firmly informed me when I attempted otherwise. Other CAs have similar restrictions.
>>>>>>>>>
>>>>>>>>> I hadn't thought of SNI at all, that's an interesting approach.
>>>>>>>>>
>>>>>>>>> Do you have any idea which MUAs support SNI? I wonder whether support for older client systems would be an issue.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Chris
>>>>>>>>>
>>>>>>>>> Am 25.07.2013 um 00:51 schrieb Surgemail Support (Marijn) <surgemailHIDDEN@t@netwinsite.com>:
>>>>>>>>>
>>>>>>>>> You want the short or long answer :-)
>>>>>>>>>
>>>>>>>>> There are two aspects to be considered:
>>>>>>>>> - surgemail deciding which certificate to serve
>>>>>>>>> - the browser matching the certificate against the correct url hostname.
>>>>>>>>>
>>>>>>>>> Traditionally you had either g_ssl_per_domain in which case you needed to have a certificate per domain, and to use an separate ip address per domain, or you left g_ssl_per_domain disabled and you had the whole server secured on a single hostname.
>>>>>>>>>
>>>>>>>>> This would would with wildcard certificates (is that what you are referring to with UCC as I'm not familiar with that terms), but the price and domain restrictions on these tend to mean that people do not use them.
>>>>>>>>>
>>>>>>>>> However, as of 6.0 surgemail support SNI, this should mean that surgemail no longer needs to use the ip address to identify the certificate to server. You would still use a certificate per domain, these being stored in the surgemail/ssl/domain.com directories but you can serve all these on the same ip address.
>>>>>>>>>
>>>>>>>>> I also believe there is some form of option of combining multiple certificates in one, but I have to admit I've never actually tried that myself so there may be hidden gotchas and possibly costs at the certificate issuing side.
>>>>>>>>>
>>>>>>>>> Anyway, I suggest using maybe:
>>>>>>>>> mail.yourprimarydomain.com as the hostname with your company certificate for all the domains that do not need their own certificate and
>>>>>>>>> mail.company-a.com etc with its own certificate for other domains needing their own certificates
>>>>>>>>> this can all be on the same ip address now if wanted.
>>>>>>>>>
>>>>>>>>> But maybe someone else on the list has further input too?
>>>>>>>>>
>>>>>>>>> Marijn
>>>>>>>>>
>>>>>>>>> On Wednesday 24/07/2013 at 11:38 pm, Chris Ferebee wrote:
>>>>>>>>>
>>>>>>>>> I'm trying to understand how to set up SSL over multiple domains in SurgeMail, so that different users can login via IMAP etc. as "userHIDDEN@any-a.com" and "user-2@company-b.com" to the server using the hostnames "mail.company-a.com" and "mail.company-b.com" over SSL.
>>>>>>>>>
>>>>>>>>> Initially, I thought I could obtain a UCC certificate (from StartSSL.com) listing all the SSL domains as Subject Alternate Names, however it turns out that UCCs are not allowed to cover domains belonging to multiple separate organizations.
>>>>>>>>>
>>>>>>>>> Therefore, I presume I would need to use multiple certificates and configure SurgeMail to answer with different certificates on multiple separate IP addresses.
>>>>>>>>>
>>>>>>>>> I also host a number of domains that don't each need their own SSL hostname.
>>>>>>>>>
>>>>>>>>> How does this relate to g_ssl_per_domain? If I enable that, can I use several IP addresses but still host multiple virtual domains on each IP? I'm thinking of a setup like this:
>>>>>>>>>
>>>>>>>>> IP 1.1.1.1 - canonical name "mail.company-a.com" - SSL certificate for "mail.company-a.com" with SAN "company-a.com"
>>>>>>>>>
>>>>>>>>> IP 1.1.1.2 - canonical name "mail.company-b.com" - SSL certificate for "mail.company-b.com" with SAN "company-b.com"
>>>>>>>>>
>>>>>>>>> Additional vdomains on each IP - but I presume the server would need to handshake with the canonical name on each IP so as not to break SSL.
>>>>>>>>>
>>>>>>>>> Will that work, and how do I set it up?
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Chris Ferebee
>>>
>>
>
|