Mailing List Message #105791
From: Brian Turnbow <>
Subject: R: correct usage of SSL certs
Date: Thu, 27 Aug 2015 10:21:00 +0200
To: 'CommuniGate Pro Discussions' <>
X-Mailer: E-box Connector 4.2.70-185

HI ,

> >
> >Hi list,
> >
> >I don’t fully understand if the SSL certificate has to be issued for
> >the domain ( or the specific host ( ; it
> >seems it makes a difference for IMAP but maybe not for SMTP ?
> >
> >Also, I don’t know how it should be done when the MX record is set up
> >as a CNAME to the real server, as in:
> >MX records for point to ; “A” records
> >for point to CNAME ; whose “A”
> >records do point to an IP address.
> >So the SSL cert should be for “” or for
> >“” ?
> >
> >case in point: when I went on to finally buy real SSL Certs (as the
> >self-signed were rejected by everyone), I was first about to buy for
> > and during the process it said it would apply to
> >“  AND” which sounded
> ridiculous
> >so I finally decided to buy for “” which would apply to
> >“ AND”
> >
> >Now it seems to be working for incoming SMTP (I don’t see new errors);
> >but for IMAP my mail client balks at it saying that the SSL Certificate
> >is for “” and not for “”; also I don’t
> >know how well might it be working for SMTP out… and the CNAME situation
> >might even complicate things more?
> >(nevertheless in the SPF records, “” is also
> >listed)
> As said, the RFCs do not allow CNAMES in MX records.
> For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain
> name than the SMTP service.
> We have the same problem. We use different names, because sometimes
> (during
> migrations) we run them on different servers, but usually they run on the same
> server. The best solution would be a wildcard certificate for *,
> but wildcard certificates are very expensive.

You can always get a cheap one year cert for a single name i.e.  and use it for all services (other domains can use it as long as they use user@therdomain to login) and wait for

general availability scheduled for November.


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster