Mailing List Message #105790
From: Fred Zwarts (KVI) <>
Subject: Re: correct usage of SSL certs
Date: Thu, 27 Aug 2015 09:30:24 +0200
To: <>
"Roberto Michelena"  wrote in message

Hi list,

I don’t fully understand if the SSL certificate has to be issued for the domain ( or the specific host ( ; it seems it makes a difference for IMAP but maybe not for SMTP ?

Also, I don’t know how it should be done when the MX record is set up as a CNAME to the real server, as in:
MX records for point to ; “A” records for point to CNAME ; whose “A” records do point to an IP address.
So the SSL cert should be for “” or for “” ?

case in point: when I went on to finally buy real SSL Certs (as the self-signed were rejected by everyone), I was first about to buy for and during the process it said it would apply to “  AND” which sounded ridiculous so I finally decided to buy for “” which would apply to “ AND”

Now it seems to be working for incoming SMTP (I don’t see new errors); but for IMAP my mail client balks at it saying that the SSL Certificate is for “” and not for “”; also I don’t know how well might it be working for SMTP out…
and the CNAME situation might even complicate things more?
(nevertheless in the SPF records, “” is also listed)

As said, the RFCs do not allow CNAMES in MX records.

For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain name than the SMTP service.
We have the same problem. We use different names, because sometimes (during migrations) we run them on different servers, but usually they run on the same server. The best solution would be a wildcard certificate for *, but wildcard certificates are very expensive.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster