DNS and certificate question

[vermium]

Hi! I recently started using PMG, super amazing service! I plan on expanding to a HA Cluster and I wonder how to handle certificate for my cluster I want to have one dedicated subdomain for each and then one domain for users to have in their MX records. So lets say we have

pmg.mydomain.net A x.x.x.x
pmg.mydomain.net A y.y.y.y
pmg.mydomain.net A z.z.z.z

Aswell as for the individual

pmg01.mydomain.net A x.x.x.x
pmg02.mydomain.net A y.y.y.y
pmg03.mydomain.net A z.z.z.z

And for domains then using

@ MX pmg.mydomain.net

I guess I need a valid certificate on pmg,pmg01,pmg02,pmg03 for better reputation and such.

I use Let's Encrypt for certificates so my question is, should I use same certificate for pmg.mydomain.net on all of them (and if I should do that, how can I keep them synced) otherwise, should I just make use for different certificates for each node? Making pmg.mydomain.net having 3 different certs based on server?

 

[vermium]

Is this possible?

 

[Stoiko Ivanov]

In my experience certificate names and SANs are not checked this thoroughly in context of SMTP - with opportunistic TLS the fallback would be to send the mails without any encryption - so the checks are not that strict.

What is more important is that the hostnames that your PMG nodes have configured have a fitting DNS entry to their public IP and that the PTR record of the public IP matches their hostname.

if you want to have pmg.mydomain.net on 3 different systems you will need to validate that through a DNS-plugin
(http-01 challenges will not work, since if pmg01 makes the request - let's encrypt could still verify the ownership by contacting pmg03 via http (and there there will be nobody listening for the verification)

I hope this helps!

 

[vermium]

What exactly does it mean with "opportunistic TLS the fallback would be to send the mails without any encryption" do you mean that I will have valid encryption if I send with smtp server "pmg.mydomain.net" as long as I have given a cert per underlaying server?

 

[Stoiko Ivanov]

What exactly does it mean with "opportunistic TLS the fallback would be to send the mails without any encryption"

probably best explained in wikipedia:
https://en.wikipedia.org/wiki/Opportunistic_TLS

put shortly - if the tls-handshake fails with a server a smtp-client can only send the mail without any encryption at all - this results that nowadays (still) most smtp-client will rather send mails to a server with not-matching (e.g. self-signed, different CN/SAN, expired) certificate than to fall back to plain-text

do you mean that I will have valid encryption if I send with smtp server "pmg.mydomain.net" as long as I have given a cert per underlaying server?

I would assume that this would be the case for most smtp-servers out there - just try it and keep an eye on the logs!

 

[vermium]

Cool! Thanks! Just another question too, is it suitable to have "internal smtp" port available on public internet? If I enable TLS under "mail proxy" would that data be encrypted then? (I guess?) Or is it a security risk of leaking of emails sent if available on public internet? Since I use this for clients I currently have not planned to use a VPN connection for them.

Also, regarding DKIM, what is best practice? Letting clients make sure they use DKIM on their mail servers or me signing all their emails (regarding if their server have DKIM or not) via PMG.
Since I guess it's bad practice reusing same key for all clients? Just wanting to minimize job for clients. So I was thinking of making them use:

selector._domainkey.customer.tld IN CNAME dkim.mydomain.net

And then having

dkim.mydomain.net IN TXT "v=DKIM; h=sha256; k=rsa;........"

But may be better to let them enable DKIM if they want to on their internal servers?

 

[Stoiko Ivanov]

If I enable TLS under "mail proxy" would that data be encrypted then?

enabling TLS enables it also for the smptd-listener on the internal port - if it is actually used depends on the smtp-client (server that wants to relay through your PMG) - as this is what opportunistic TLS is about

Or is it a security risk of leaking of emails sent if available on public internet? Since I use this for clients I currently have not planned to use a VPN connection for them.

a) PMG is in general not meant to be used as relay for clients, but as a proxy server in front of your e-mail-servers...
b) access control on the internal port is based on the trusted networks you can configure in the GUI - each IP listed there can relay to any e-mail-address through your PMG - as long as you only list trusted IPs it should not be a problem - do not list the complete internet there, as this would effectively create an open relay!

Also, regarding DKIM, what is best practice? Letting clients make sure they use DKIM on their mail servers or me signing all their emails (regarding if their server have DKIM or not) via PMG.

depends very much on your and your clients setup

Since I guess it's bad practice reusing same key for all clients?

not so sure about this one - a DKIM signature just says that the signing entity has access to the private key (which is trusted, by the sending domain, since they actively added the public key to their DNS zone) - so having one selector for one (PMG) system does not seem bad-practice to me

regarding having the dkim txt record as CNAME - from a quick glance it should work - but I have not tried this in practice.
also keep in mind that the selector needs to be the same for all domains, and also needs to be the one configured in your PMG