X-Junk-Score:   0 []
X-Cloudmark-Score:   0 []
Return-Path: <black@csulb.edu>
Received: from iron2.its.csulb.edu ([134.139.1.35] verified)
  by mail.stalker.com (CommuniGate Pro SMTP 5.3.4)
  with ESMTP id 59095066 for CGatePro@mail.stalker.com; Thu, 11 Mar 2010 07:38:02 -0800
Received-SPF: pass
 receiver=mail.stalker.com; client-ip=134.139.1.35; envelope-from=black@csulb.edu
X-IronPort-AV: E=Sophos;i="4.49,620,1262592000"; 
   d="scan'208";a="47249230"
Received: from remus.csulb.edu (HELO csulb.edu) ([134.139.1.29])
  by iron2.its.csulb.edu with ESMTP; 11 Mar 2010 07:37:41 -0800
Received: from [134.139.1.24] (account black@csulb.edu)
  by remus.csulb.edu (CommuniGate Pro WebUser 5.0.9)
  with HTTP id 29860844 for CGatePro@mail.stalker.com; Thu, 11 Mar 2010 07:37:41 -0800
From: "Matthew Black" <black@csulb.edu>
Subject: Re: TLS and Certificates - Updated
To: "CommuniGate Pro Discussions" <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v5.0.9
Date: Thu, 11 Mar 2010 07:37:41 -0800
Message-ID: <web-29860844@remus.csulb.edu>
Organization: California State University, Long Beach
Reply-To: "Matthew Black" <black@csulb.edu>
In-Reply-To: <list-59038790@mail.stalker.com>
References: <list-59038743@mail.stalker.com>
 <list-59038790@mail.stalker.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit

On Fri, 05 Mar 2010 23:25:26 +0300
  Technical Support <support@stalker.com> wrote:
> Hello,
> 
> dhazzard@yoursummit.com wrote:
>> Okay, scratch my previous post.  I'll be more specific.
>> 
>> As I mentioned below we have two mail servers.  For TLS to function
>> properly do I need one certificate with the Common Name set to
>> xyz.com and installed on both servers?  Or will this not work?
> 
> The certificate common name should match the host name on which the server 
>will be contacted. Say, you serve the domain xyz.com with two hosts
> 
> $ORIGIN xyz.com
>      IN MX  5 mail
>      IN MX 10 smtp
> mail IN A     10.20.30.40
> smtp IN A     10.20.30.50
> 
> The IPs 10.20.30.40 and 10.20.30.50 should be assigned in the CgPro 
>configuration to CgPro Domain objects where mail.xyz.com and smtp.xyz.com 
>are either names or alias names to those objects.
> 
> In this case you will need certificates for mail.xyz.com and smtp.xyz.com, 
>or can use a wildcard certificate *.xyz.com on both servers.


Wildcard certificates are NOT the way to go for large enterprises. They 
present a whole set of security problems because some sites offer dozens of 
services, each with its own certificate. Our university operates hundreds of 
servers. If a wildcard certificate gets compromised, EVERY service loses its 
security.

Why can't CommuniGate figure out how to configure multiple certificates, say 
one for each service (IMAP, POP, WebUser) and a different set for each 
domain? Apache has been doing this for a very long time.

matthew black
e-mail postmaster
california state university, long beach