Do Postfix and Dovecot support OCSP stapling?
Since I would like to set the "must staple" attribute in my SSL certificates, I was doing some research to find out if all of my services support OCSP stapling. So far I found out, that Apache does which I was able to confirm using SSLLabs.com.
But apart from that, I wasn't able to confirm, if my two other services (SMTP and IMAP) also support OCSP stapling. Now my question is, do Postfix and Dovecot also support it?
PS: I know that certificates don't seem to be crucial when it comes to mail transport, but I would like to avoid any possible issues, if I do add the attribute and a client might refuse to work because of that, while others could benefit from it.
Solution 1:
As of 2017-10, No.
Dovecot does not have any OCSP support whatsoever, as of 2016 was considering the feature for a future release, no work has been done on that since.
Postfix does not have any OCSP support whatsoever, and as of 2017 is not planning to ever to ever implement such feature.
Exim can provide clients with an OCSP response, yet acquiring such is yet left as an exercise to the admin.
The main arguments against adding such support are:
- Security features should be simple so they have more benefit than added risks. OCSP is complex. Short certificate validity is simple and mitigates the same issue.
- The Chicken-Egg problem of OCSP support in servers being entirely useless until MUAs add such support.
This does not hinder the usage of must-staple
certificates in web servers. Just have the option enabled on your web server certificate (e.g. www.example.com
) and disabled on your mail server certificate (e.g. mail1.example.com
).
Warning: If support eventually is enabled in your desired servers, do not also expect them to validate the OCSP resonses they send (e.g., nginx has an optional, default-off feature ssl_stapling_verify
for such purposes).
Speaking from experience, OCSP responders occasionally return the weirdest things, that (if your server unconditionally forwards them unchecked) will disconnect your clients MUAs, when in fact the second latest response would have been fine.