What host name should the SSL certificate for an SMTP server contain?

ssl smtp certificate exim
33,444

Solution 1

This is actually not explicitly defined anywhere, and whether or not the server should be "trusted" depends on the client (which could of course be another mail server) connecting to it; quoting from the relevant RFC (RFC 2487):

If the SMTP client decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD issue an
SMTP QUIT command immediately after the TLS negotiation is complete.
If the SMTP server decides that the level of authentication or
privacy is not high enough for it to continue, it SHOULD reply to
every SMTP command from the client (other than a QUIT command) with
the 554 reply code (with a possible text string such as "Command
refused due to lack of security").

The decision of whether or not to believe the authenticity of the
other party in a TLS negotiation is a local matter. However, some
general rules for the decisions are:

- A SMTP client would probably only want to authenticate an SMTP
  server whose server certificate has a domain name that is the
  domain name that the client thought it was connecting to.

What this basically means is, when the server offers TLS encryption using a given certificate, the decision about accepting or refusing it depends entirely on the other part, which will probably want the name on the certificate to be the same it connected to, but could very well accept it even if it doesn't match.

But wait, there's more. Quoting again from the same RFC:

Upon completion of the TLS handshake, the SMTP protocol is reset to
the initial state (the state in SMTP after a server issues a 220
service ready greeting). The server MUST discard any knowledge
obtained from the client, such as the argument to the EHLO command,
which was not obtained from the TLS negotiation itself. The client
MUST discard any knowledge obtained from the server, such as the list
of SMTP service extensions, which was not obtained from the TLS
negotiation itself. The client SHOULD send an EHLO command as the
first command after a successful TLS negotiation.

So, what the server is saying in response to HELO/EHLO before the TLS handshake doesn't seem to actually matter at all.

In my experience, self-signed certificates work pretty well on Internet-facing mail servers, which means the other mail servers aren't even bothering to validate them, they'll just happily accept anything that can provide TLS encryption, regardless of the issuing authority or subject name.

Solution 2

An MTA delivering mail to your domain is going to lookup the MX record (which will yield a hostname), and then lookup an A record for that hostname. The hostname which it is connecting to is therefore the MX hostname, and so that is what will be verified against the SSL certificate common name. Verifying the HELO hostname doesn't make sense because the server can provide any HELO hostname it wants -- it doesn't provide additional security.

That said, strictly verifying SSL certificates when delivering mail isn't particularly useful at the moment, since MTAs will (almost always) fallback to non-SSL delivery, since that's how SMTP works at the moment. The sensible configuration is therefore to use SSL if the MX server offers it, regardless of whether the SSL certificate verifies or not (since encryption without authentication is better than no encryption and no authentication). You therefore might as well use a self-signed certificate for this purpose.

Solution 3

The task of verifying the server certificate and that it matches the host name of the server is purely the client's role, for any protocol using SSL/TLS.

As such, the host name in the certificate should match the name that the client is trying to access.

When the SSL/TLS connection is initiated up front (SMTPS), the server has no way of seeing what the HELO message says before the connection is established, so it must use the one with which it made the request.

When using SSL/TLS after STARTTLS, the client still intends to talk to the server with which it was configured, so that's still what it should check. Failing that would make MITM attacks possible:

  • C->S: Hello, I'm Alice, I want to talk to Bob.
  • S->C: Hi, I'm Chuck, here is my cert for Chuck.
  • C->S: Oh yes, your cert is indeed valid for Chuck. Let's proceed.
  • ... There's a flaw there of course, since Alice wanted a secure communication with Bob.

In both cases, it's the MX address that should be used.

The host name matching rules have recently been gathered across protocols in RFC 6125, but few clients implement it fully (it's more of a best practice RFC than a complete change, and it's still quite recent).

In its appendix, it summarises what existed about SMTP before (taken from RFC 3207 and RFC 4954). In particular "The client MUST NOT use any form of the server hostname derived from an insecure remote source (e.g., insecure DNS lookup)." (which applies to the server's banner of course). Apart from this, the SMTP legacy rules were a bit more relaxed than HTTPS regarding Subject Alternative Names (should instead of must be used).

The modern way is definitely to put the host name in a Subject Alternative Name DNS entry. Wildcard usage is also discouraged.

Solution 4

I think that the best would be to copy what is done in practice. I have checked a yahoo.com email address using http://checktls.com Hopefully, at yahoo, they used a different domain for their hostname and for their mx domain. So, their hostname is a yahoo.com and their mx domain ends with yahoodns.net

dig mx yahoo.com gives mta6.am0.yahoodns.net. among others

Result of checktls: the SSL certificate CN = MX domain (*.yahoodns.net)

I did the same with cisco and i had the same result.

Share:
33,444

Related videos on Youtube

David North
Author by

David North

Software developer and volunteer sysadmin living in Oxford, UK. Likes biscuits.

Updated on September 18, 2022

Comments

  • David North
    David North almost 2 years

    I have a server foo.example.com at 192.0.2.1

    It runs exim to receive e-mail for several of my domains.

    My domains each have an MX record pointing to mx.example.com, which resolves to 192.0.2.1

    If I want to make exim offer TLS encryption for incoming e-mail connections, what host name should I put in the SSL certificate?

    • foo.example.com because that's what the server will say in the HELO?
    • mx.example.com because that's the host name the clients will have connected to?

    http://www.checktls.com suggests that the latter is correct, but I can't find a definitive answer.

    • Chris Nava
      Chris Nava about 12 years
      In HTTP+SSL you would need a wildcard certificate (*.example.com) to serve multiple name based virtual servers. I'm not sure about SMTP+SSL but I suspect you will find a similar restriction. The way around it with HTTP is to bind each virtual server to a different IP and use a unique cert for each.
  • mgorven
    mgorven about 12 years
    I don't think that's correct.
  • Dr I
    Dr I about 12 years
    I'll improve my answer. On my mail server, if I want to have a connexion between my host server named for example: mx1.dn.tld and another server named for example: foo.dn.tld Here, I have to generate a SSL Cert with the hostname mx1.dn.tld. Now, if you have a mail server that you want to be accessible from other services using external standard access as for example IMAP, you will set the following DNS alias: imap.dn.tld which link to an IP or another hostname (mx1.dn.tld for example). and then generate a SSL Certificat using this imap.dn.tld hostname.
  • mgorven
    mgorven about 12 years
    Yes, but the question was not about IMAP/POP3 access, it was about mail delivery with SMTP.
  • Congmin
    Congmin almost 11 years
    Yes, and for this reason, it doesn't actually matter at all what Common Name is set to, or whether it is set at all in the first place.
  • Andreas Krey
    Andreas Krey almost 8 years
    It WOULD be nice if the cert would be for the mail domain - then DNSSEC wouldn't be essentially required to avoid MITMs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I correctly configure exim4 on Debian so I can use `sendmail -t` to send mail via my office365 account?
WCF Exception - The client certificate is not provided
need help Debugging SSL handshake in tomcat
How to set SSL certificate for gmail SMTP
Sending Email to Gmail's SMTP server using TLS and Plain Authentication
smtp.gmail.com vs ssl://smtp.gmail.com while sending email using gmail smtp server
Error while creating self-signed SSL certificate
Cannot import certificate into java control panel
iPhone: install certificate for SSL connection
Connecting to MySQL server with ssl