Mailing List CGatePro@mail.stalker.com Message #105790
From: Fred Zwarts (KVI) <F.Zwarts@KVI.nl>
Subject: Re: correct usage of SSL certs
Date: Thu, 27 Aug 2015 09:30:24 +0200
To: <CGatePro@mail.stalker.com>
"Roberto Michelena"  wrote in message news:list-78522899@mail.stalker.com...

Hi list,

I don’t fully understand if the SSL certificate has to be issued for the domain (mydomain.com) or the specific host (mail.mydomain.com) ; it seems it makes a difference for IMAP but maybe not for SMTP ?

Also, I don’t know how it should be done when the MX record is set up as a CNAME to the real server, as in:
MX records for mydomain.com point to mail.mydomain.com ; “A” records for mail.mydomain.com point to CNAME server.otherdomain.com ; whose “A” records do point to an IP address.
So the SSL cert should be for “mail.mydomain.com” or for “server.otherdomain.com” ?

case in point: when I went on to finally buy real SSL Certs (as the self-signed were rejected by everyone), I was first about to buy for mail.mydomain.com and during the process it said it would apply to “mail.mydomain.com  AND www.mail.mydomain.com” which sounded ridiculous so I finally decided to buy for “mydomain.com” which would apply to “mydomain.com AND www.mydomain.com”

Now it seems to be working for incoming SMTP (I don’t see new errors); but for IMAP my mail client balks at it saying that the SSL Certificate is for “mydomain.com” and not for “mail.mydomain.com”; also I don’t know how well might it be working for SMTP out…
and the CNAME situation might even complicate things more?
(nevertheless in the SPF records, “server.otherdomain.com” is also listed)

As said, the RFCs do not allow CNAMES in MX records.

For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain name than the SMTP service.
We have the same problem. We use different names, because sometimes (during migrations) we run them on different servers, but usually they run on the same server. The best solution would be a wildcard certificate for *.mydomain.com, but wildcard certificates are very expensive.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster