Mailing List CGatePro@mail.stalker.com Message #105792
From: Fred Zwarts (KVI) <F.Zwarts@KVI.nl>
Subject: Re: R: correct usage of SSL certs
Date: Thu, 27 Aug 2015 11:23:27 +0200
To: <CGatePro@mail.stalker.com>
"Brian Turnbow"  wrote in message news:list-78541417@mail.stalker.com...


HI ,

>
>Hi list,
>
>I don’t fully understand if the SSL certificate has to be issued for
>the domain (mydomain.com) or the specific host (mail.mydomain.com) ; it
>seems it makes a difference for IMAP but maybe not for SMTP ?
>
>Also, I don’t know how it should be done when the MX record is set up
>as a CNAME to the real server, as in:
>MX records for mydomain.com point to mail.mydomain.com ; “A” records
>for mail.mydomain.com point to CNAME server.otherdomain.com ; whose “A”
>records do point to an IP address.
>So the SSL cert should be for “mail.mydomain.com” or for
>“server.otherdomain.com” ?
>
>case in point: when I went on to finally buy real SSL Certs (as the
>self-signed were rejected by everyone), I was first about to buy for
>mail.mydomain.com and during the process it said it would apply to
>“mail.mydomain.com  AND www.mail.mydomain.com” which sounded
ridiculous
>so I finally decided to buy for “mydomain.com” which would apply to
>“mydomain.com AND www.mydomain.com”
>
>Now it seems to be working for incoming SMTP (I don’t see new errors);
>but for IMAP my mail client balks at it saying that the SSL Certificate
>is for “mydomain.com” and not for “mail.mydomain.com”; also I don’t
>know how well might it be working for SMTP out… and the CNAME situation
>might even complicate things more?
>(nevertheless in the SPF records, “server.otherdomain.com” is also
>listed)

As said, the RFCs do not allow CNAMES in MX records.

For the rest, it is a bit a problem if the IMAP(POP) service uses an other domain
name than the SMTP service.
We have the same problem. We use different names, because sometimes
(during
migrations) we run them on different servers, but usually they run on the same
server. The best solution would be a wildcard certificate for *.mydomain.com,
but wildcard certificates are very expensive.

You can always get a cheap one year cert for a single name i.e. mail.domian.com  and use it for all services (other domains can use it as long as they use user@therdomain to login) and wait for
https://letsencrypt.org/

general availability scheduled for November.

It sounds easy to temporarily use a single name for all services, but it means that all users must change the setup of all their mail clients (and change it back with the next migration).
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster