Mailing List Message #105792
From: Fred Zwarts (KVI) <>
Subject: Re: R: correct usage of SSL certs
Date: Thu, 27 Aug 2015 11:23:27 +0200
To: <>
"Brian Turnbow"  wrote in message

HI ,

>Hi list,
>I don’t fully understand if the SSL certificate has to be issued for
>the domain ( or the specific host ( ; it
>seems it makes a difference for IMAP but maybe not for SMTP ?
>Also, I don’t know how it should be done when the MX record is set up
>as a CNAME to the real server, as in:
>MX records for point to ; “A” records
>for point to CNAME ; whose “A”
>records do point to an IP address.
>So the SSL cert should be for “” or for
>“” ?
>case in point: when I went on to finally buy real SSL Certs (as the
>self-signed were rejected by everyone), I was first about to buy for
> and during the process it said it would apply to
>“  AND” which sounded
>so I finally decided to buy for “” which would apply to
>“ AND”
>Now it seems to be working for incoming SMTP (I don’t see new errors);
>but for IMAP my mail client balks at it saying that the SSL Certificate
>is for “” and not for “”; also I don’t
>know how well might it be working for SMTP out… and the CNAME situation
>might even complicate things more?
>(nevertheless in the SPF records, “” is also

As said, the RFCs do not allow CNAMES in MX records.

For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain
name than the SMTP service.
We have the same problem. We use different names, because sometimes
migrations) we run them on different servers, but usually they run on the same
server. The best solution would be a wildcard certificate for *,
but wildcard certificates are very expensive.

You can always get a cheap one year cert for a single name i.e.  and use it for all services (other domains can use it as long as they use user@therdomain to login) and wait for

general availability scheduled for November.

It sounds easy to temporarily use a single name for all services, but it means that all users must change the setup of all their mail clients (and change it back with the next migration).
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster