SNI for mail services

Discussion in 'Developers' Forum' started by Jesse Norell, Mar 28, 2019.

Tags:
  1. Jesse Norell

    Jesse Norell Well-Known Member

    As of last month postfix added SNI support in version 3.4.0 (it would appear nearly 8 years after it was required by rfc6186 5.b), so probably time to start thinking about the implementation soon. Dovecot of course has had SNI support for a while.

    A few related rfc's good to reference are:

    It seems each domain should have a separate certificate, with one CN name (there are options, but probably mail.domain.tld or the mail server's hostname) and various SAN names added, including the domain itself, mail.domain.tld (or whatever name clients should use according to the service provider's instructions/policy), the mail server's hostname, and all names used in SRV records (_imap, _imaps, _pop3, _pop3s, _submission, _submissions, _sieve), and could include a wildcard *.domain as SAN or even the CN.

    It would be nice to integrate the SRV records with the certificate generation for a standard hosted mail domain, similar to how DKIM is done.

    This will need to be implemented after support for ISPConfig managing server certificates is added (which I believe will be via acme.sh?), but should definitely be kept in mind during that implementation as well.

    Having full (multi-server) DNSSEC support would additionally help clients see less pop-up messages regarding mail certificates in some configurations, as a note (not part of implementing SNI for mail).
     
    till likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's great news that postfix did this step. It was really overdue.
     
  3. ahrasis

    ahrasis Well-Known Member

    I think Neilpang acme.sh will be supported in 3.2 but only for website via LE lib files and only if certbot is not found installed.

    For that he only problem I see with the commited code is that it is forcing an automatic install and use of acme.sh if certbot is not found, which is not kinda not right.

    It should only remind via log or error message that no supported LE clients softwares is found installed and let the server admins choose from the list of supported LE clients softwares.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The acme.sh code is not complete and not finished yet. Beside that, we will probably phase out certbot as it's a constant source of errors, just see the current problems where certbot stopped on some servers to mention the domains in the renewal files which cause certs to be not found, and replace it with the more stable acme.sh
     
  5. ahrasis

    ahrasis Well-Known Member

    Noted that.

    So will official certbot still be supported in 3.2 or the plan is to phase it out completely and replace it with Neilpang acme.sh by then?

    I think those who use certbot deserved to know so they can plan and manage their ISPConfig servers for that changes when the time comes.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    We will probably support both for some time but will replace it in the installation guides.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

Share This Page