search

vexim / vexim2

Virtual Exim 2
Other
71 stars 47 forks source link

SSL certificates per Domain #246

Open runout-at opened 6 years ago

runout-at commented 6 years ago

The idea is that we have different SSL certs. Eg. one per domain. Normally i get my certificates with certbot from letsencrypt. For some people it's confusing to see a certificate from a different domain on connecting to the mailserver.

I don't know if or how easily this could be done. Let me know if you think this is completely stupid.

Udera commented 6 years ago

Wouldn't you need a dedicated IP address for each certificate?

runout-at commented 6 years ago

With SNI it should work. An example: https://help.atmail.com/hc/en-us/articles/115009208748-Multiple-SSL-certs-with-Dovecot-Exim Exim docu: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECTtlssni

Udera commented 6 years ago

Do you know which clients work well with SNI? Other mail servers (workaround: you could use SNI only on port 587/465)? https://wiki.dovecot.org/SSL/SNIClientSupport https://wiki.gentoo.org/wiki/Complete_Virtual_Mail_Server/SSL_Certificates http://postfix.1071664.n5.nabble.com/TLS-SNI-support-td72278.html

Since letsencrypt allow multidomain-certs, it's only a cosmetic thing if someone checks the certificate manually (how do you check the ssl cert in a mail application?). For browser access you could still use a subdomain (webmail.example.org) using SNI.

runout-at commented 6 years ago

If the client is not sending an SNI hostname, then there is a 'fallback' to a certificate which has all hostnames in the SAN field. Or you could see it as a 'default' as long as the client doesn't send SNI. This way there should be no problem with any client. Mailservers (on port 25) normally don't send SNI - the only SNI i saw was from google. (I'm running this setup on my production server now)

Actually the only really needed config for exim is in the 2 lines from my PR and this has no negative impact if there is only one certificate using SANs. The bash script is just for making it easier to deploy the certificates based on the records in the vexim-DB. This script is also doing renewal of the certificates - put it in a daily cron job doesn't hurt.

I don't know how people normally get/deploy there certificates - no matter of one cert per domain or a single cert with SANs. But a script like this will do the automation of the crucial process of adding/removing/renewing domains.

BTW: I didn't test the script with IPv4 as IPv6 is easier on a NATed virtualisation environment. But i think there is a bug or a problem when the server is behind a NAT. I'll look into this later.