. '''To [[MailTransfer|Configure MailTransfer Agents]]''' - '''To [[FAQ/ServerCerts|Server Certificate FAQs]]''' ---- = Project: How To Connect Multiple Email Domains via TLS = == Given Sample == . 3 dedicated Email domains by 3 companies, each on its own LAN secured by firewalls . Each company uses its own Server certs a. Company A (domainA.tld) uses CAcert server certs a. Company B (domainB.tld) uses Verisign server certs a. Company C (domainC.tld) uses GeoTrust server certs . ''using 3 different CA's in example for 3 different companies is only to show that there is no requirement to use all the same CA but using all the same CA simplifies the rollout'' == Objectives == . connect 3 foreign individual companies with a minimal agreement to transport B2B email securely via TLS over the internet . configure the internet gateways to enable TLS . configure the internet gateways to support TLS connection for specific target email domains . '''Pros:''' . Companies requires to configure their internet gateways only (in a first step to transfer their business emails securely from one company to another over the internet) . In a later project step Client Certs usage can be rolled out . Not all users in all connected companies requires to have a client cert . User education using client certs is not a requirement in starting securing B2B communication (but may be at a later project step) . '''Cons:''' . Email admins configuring the companies internet gateways have to work together . Using client certs of a CA that isn't included in the major browsers/OS'ses/applications requires an administrative software/policy rollout of the roots in the companies intranet that probably requires rewriting of company policies == Configure Internet Gateways for using TLS connectivity == . Internet Gateways configuration 1. Company A (domainA.tld) . create and configure own server cert gatewayA.domainA.tld . dedicated routing to domainB.tld, domainC.tld . enable TLS connection for dedicated routings . make Roots- and Intermediate Certificates known to Internetgateway server of Company A a. CAcert root/subroot a. Verisign root/subroot a. GeoTrust root/subroot 1. Company B (domainB.tld) . create and configure own server cert gatewayB.domainB.tld . dedicated routing to domainA.tld, domainC.tld . enable TLS connection for dedicated routings . make Roots- and Intermediate Certificates known to Internetgateway server of Company B a. CAcert root/subroot a. Verisign root/subroot a. GeoTrust root/subroot 1. Company C (domainC.tld) . create and configure own server cert gatewayC.domainC.tld . dedicated routing to domainA.tld, domainB.tld . enable TLS connection for dedicated routings . make Roots- and Intermediate Certificates known to Internetgateway server of Company C a. CAcert root/subroot a. Verisign root/subroot a. GeoTrust root/subroot . Then each connection from DomainA goes via TLS to DomainB and via TLS to DomainC, . each connection from DomainB goes via TLS to DomainA and via TLS to DomainC and . each connection from DomainC goes via TLS to DomainA and via TLS to DomainB . Default SMTPS port: 465 . Configure each SMTP connector on all internet gateways to support port 25 (non-secure channel) and port 465 for TLS channel . Sample for one connector (domainA.tld) (postfix): . main.cf file: {{{ transport_maps = hash:/etc/postfix/transport smtp_tls_security_level = may smtp_tls_policy_maps = hash:/etc/postfix/tls_policy }}} . tls_policy: {{{ domainB.tld may .domainB.tld may domainC.tld may .domainB.tld may }}} . transport file: {{{ # add specific relayhosts for specific domains # Specifies specific domains for local delivery domainA.tld : # Specify all subdomains for local delivery .domainA.tld : // route-to DomainB.tld, DomainC.tld using TLS domainB.tld :[gatewayB.domainB.tld]:465 .domainB.tld :[gatewayB.domainB.tld]:465 domainC.tld :[gatewayC.domainC.tld]:465 .domainC.tld :[gatewayC.domainC.tld]:465 }}} . More sample configurations: [[http://webmail.tm.net.my/info/smtp-proxy.html|How to setup Relay host in mail server]] . More info on TLS with postfix [[http://tipstricks.itmatrix.eu/?p=855|Using TLS for mail delivery from postfix to another TLS activated mail server]] . Exchange Server: configure routing group connectors ---- . CategoryCommunity . CategoryConfiguration . CategoryGuide . CategorySoftware . CategorySupport