Mailing List CGatePro@mail.stalker.com Message #105791
From: Brian Turnbow <b.turnbow@twt.it>
Subject: R: correct usage of SSL certs
Date: Thu, 27 Aug 2015 10:21:00 +0200
To: 'CommuniGate Pro Discussions' <CGatePro@mail.stalker.com>
X-Mailer: E-box Connector 4.2.70-185

HI ,

> >
> >Hi list,
> >
> >I don’t fully understand if the SSL certificate has to be issued for
> >the domain (mydomain.com) or the specific host (mail.mydomain.com) ; it
> >seems it makes a difference for IMAP but maybe not for SMTP ?
> >
> >Also, I don’t know how it should be done when the MX record is set up
> >as a CNAME to the real server, as in:
> >MX records for mydomain.com point to mail.mydomain.com ; “A” records
> >for mail.mydomain.com point to CNAME server.otherdomain.com ; whose “A”
> >records do point to an IP address.
> >So the SSL cert should be for “mail.mydomain.com” or for
> >“server.otherdomain.com” ?
> >
> >case in point: when I went on to finally buy real SSL Certs (as the
> >self-signed were rejected by everyone), I was first about to buy for
> >mail.mydomain.com and during the process it said it would apply to
> >“mail.mydomain.com  AND www.mail.mydomain.com” which sounded
> ridiculous
> >so I finally decided to buy for “mydomain.com” which would apply to
> >“mydomain.com AND www.mydomain.com”
> >
> >Now it seems to be working for incoming SMTP (I don’t see new errors);
> >but for IMAP my mail client balks at it saying that the SSL Certificate
> >is for “mydomain.com” and not for “mail.mydomain.com”; also I don’t
> >know how well might it be working for SMTP out… and the CNAME situation
> >might even complicate things more?
> >(nevertheless in the SPF records, “server.otherdomain.com” is also
> >listed)
>
> As said, the RFCs do not allow CNAMES in MX records.
>
> For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain
> name than the SMTP service.
> We have the same problem. We use different names, because sometimes
> (during
> migrations) we run them on different servers, but usually they run on the same
> server. The best solution would be a wildcard certificate for *.mydomain.com,
> but wildcard certificates are very expensive.

You can always get a cheap one year cert for a single name i.e. mail.domian.com  and use it for all services (other domains can use it as long as they use user@therdomain to login) and wait for
https://letsencrypt.org/

general availability scheduled for November.

Brian


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster