search

jeboehm / docker-mailserver

Docker Mailserver based on the famous ISPMail guide
MIT License
356 stars 93 forks source link

Multiple TLS for multiple domains #111

Open hungcrush opened 3 years ago

hungcrush commented 3 years ago

Hi~

Could you support to add multiple .crt (TLS) files for multiple domains?

Thank you so much.

jeboehm commented 3 years ago

@hungcrush Good idea!

https://wiki.dovecot.org/SSL/DovecotConfiguration#With_client_TLS_SNI_.28Server_Name_Indication.29_support https://technikfreak.net/tag/sni-postfix-letsencrypt-le-tls-ssl-mail-dovecot-server-name-indication-encrypt/

polarathene commented 3 months ago

You shouldn't need that btw. TLS certs used are for your mail-server FQDN/hostname, not the mail domains managed by the MTA/MDA services.

rmsc commented 2 months ago

You shouldn't need that btw. TLS certs used are for your mail-server FQDN/hostname, not the mail domains managed by the MTA/MDA services.

Unless you want to keep separate mail server FQDNs, which is what I'd also like to do.

I'd like this to added as well.

polarathene commented 2 months ago

Unless you want to keep separate mail server FQDNs, which is what I'd also like to do.

Can you elaborate why?

You can have @example.com + @example.org both with MX records to have mail delivered to mail.example.net. You want to have multiple A records with different FQDNs pointing to the same mail server though?

When the mail server sends mail outbound, it needs to provide a HELO greeting, this is the FQDN that identifies the mail server, sometimes an rDNS lookup is done at the receiving end to verify your connecting server is legitimately who you claim to be. Then there is other checks like SPF authorizing mail server to send mail on behalf of the sender domain.

An IP address is only going to resolve to one of those FQDN though, but as long as you're not concerned about that metric (I don't think most mail servers are that strict on it, so long as the resolved FQDN resolves back to the same IP), some may use it as part of the spam score though.

I'm curious what you're trying to gain from multiple domains however, since it doesn't provide any additional privacy IIRC. Services like Postfix also are generally configured to assume one hostname / FQDN aren't they? I suppose you could support multiple via master.cf adjustments but that might be a bit awkward. If it's just for receiving mail, you can use the SNI support (EDIT: Oh those have already been linked).

rmsc commented 2 months ago

Unless you want to keep separate mail server FQDNs, which is what I'd also like to do.

Can you elaborate why?

Not sure if it's my fault, but clients like Thunderbird have a hard time auto-detecting settings when the mail-server FQDN doesn't match the e-mail domain. Not exactly a good user experience.