TLS with multiple allowed hosts (or wildcard hosts)

[richp10]

Setting up TLS you need to provide a hostname, defaulting to the server hostname.

Guerrilla also allows you to recieve mail for multiple allowed hosts or use wildcards.

My question is; will the TLS handshaking work for inbound mail to multiple hosts - since the hostname of the TLS certificate will not match any or all of the hosts?

[flashmob]

You could set it up so that all the domains in your "allowed hosts" point to and share the same MX host(s).

These MX hosts are the ones that you need to get TLS certificates for. Each hostname must match the FQDN of the TLS certificate, must have an A record and also a reverse DNS entry is recommended. This needs to only be for the MX hosts.

On Wed, 19 Feb 2020, 21:28 richp10, notifications@github.com wrote:

Setting up TLS you need to provide a hostname, defaulting to the server hostname.

Guerrilla also allows you to recieve mail for multiple allowed hosts or use wildcards.

My question is; will the TLS handshaking work for inbound mail to multiple hosts - since the hostname of the TLS certificate will not match any or all of the hosts?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/flashmob/go-guerrilla/issues/205?email_source=notifications&email_token=AAE6MP635PFXVMVM2WSAVMLRDUQYRA5CNFSM4KXYLWI2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IOT5G6Q, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE6MPYQYY2W5FQNJDSPZ6TRDUQYRANCNFSM4KXYLWIQ .

[sylencecc]

I'm stuck here with the same problem. How do I configure multiple certificate/key pairs in goguerrilla.conf? Adding multiple "servers" for the same listen_interface (0.0.0.0:25 with STARTTLS enabled) doesn't work, goguerrilla always seems to answer as the first configured server, no matter what hostname was used for the actual connection. I'm not sure how other SMTP servers handle this, but wouldn't that require some sort of Server Name Indication and virtual hosts such as nginx, apache handle that?

[flashmob]

Unfortunately, SMTP doesn't support SNI like in HTTP, so it's not possible. You will need a new IP/interface (with a reverse DNS entry?) for each of the mx hosts that you setup... As for the allowed hosts, they can all point to the same MX hosts.

In other words, you do not setup the certificates for the "allowed hosts", but you setup certificates for the MX hosts instead. The MX hosts are then added to each of your "allowed hosts"'s DNS records.

On Thu, 16 Apr 2020, 20:58 Pascal Brückner, notifications@github.com wrote:

I'm stuck here with the same problem. How do I configure multiple certificate/key pairs in goguerrilla.conf? Adding multiple "servers" for the same listen_interface (0.0.0.0:25 with STARTTLS enabled) doesn't work, goguerrilla always seems to answer as the first configured server, no matter what hostname was used for the actual connection. I'm not sure how other SMTP servers handle this, but wouldn't that require some sort of Server Name Indication and virtual hosts such as nginx, apache handle that?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/flashmob/go-guerrilla/issues/205#issuecomment-614607426, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE6MPYTACYLPW4EOLKJBK3RM3XFHANCNFSM4KXYLWIQ .

[chibelsonda]

Hello Good day @flashmob

Does go-guerrilla support plain authentication. I'm new to developing smtp sever, so my apologies.