Mailing List CGatePro@mail.stalker.com Message #105789
From: Karl Zander <cgplist@commpartners.com>
Subject: Re: correct usage of SSL certs
Date: Wed, 26 Aug 2015 10:41:02 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v6.0.11
About:

>Also, I don’t know how it should be done when the MX record is set up as a CNAME to the real server, as in:
>MX records for mydomain.com point to mail.mydomain.com ; “A” records for mail.mydomain.com point to CNAME server.otherdomain.com ; whose “A” records do point to an IP address.


An MX record should NOT point to a CNAME.

See RFC 2181 Section 10.3

http://www.rfc-editor.org/rfc/rfc2181.txt

10.3. MX and NS records

   The domain name used as the value of a NS resource record, or part of
   the value of a MX resource record must not be an alias.  Not only is
   the specification clear on this point, but using an alias in either
   of these positions neither works as well as might be hoped, nor well
   fulfills the ambition that may have led to this approach.  This
   domain name must have as its value one or more address records.
   Currently those will be A records, however in the future other record
   types giving addressing information may be acceptable.  It can also
   have other RRs, but never a CNAME RR.


MX should always point to a real host name of a mailserver with its own A record.

--Karl


On Tue, 25 Aug 2015 10:41:33 -0500
 Roberto Michelena <rmichelena@mac.com> wrote:
>Hi list,
>
>I don’t fully understand if the SSL certificate has to be issued for the domain (mydomain.com) or the specific host (mail.mydomain.com) ; it seems it makes a difference for IMAP but maybe not for SMTP ?
>
>Also, I don’t know how it should be done when the MX record is set up as a CNAME to the real server, as in:
>MX records for mydomain.com point to mail.mydomain.com ; “A” records for mail.mydomain.com point to CNAME server.otherdomain.com ; whose “A” records do point to an IP address.
>So the SSL cert should be for “mail.mydomain.com” or for “server.otherdomain.com” ?
>
>case in point: when I went on to finally buy real SSL Certs (as the self-signed were rejected by everyone), I was first about to buy for mail.mydomain.com and during the process it said it would apply to “mail.mydomain.com  AND www.mail.mydomain.com” which sounded ridiculous so I finally decided to buy for “mydomain.com” which would apply to “mydomain.com AND www.mydomain.com”
>
>Now it seems to be working for incoming SMTP (I don’t see new errors); but for IMAP my mail client balks at it saying that the SSL Certificate is for “mydomain.com” and not for “mail.mydomain.com”; also I don’t know how well might it be working for SMTP out…
>and the CNAME situation might even complicate things more?
>(nevertheless in the SPF records, “server.otherdomain.com” is also listed)
>
>Roberto Michelena
>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster