X-Junk-Score: 0 [] X-Cloudmark-Score: 0 [] Return-Path: Received: from moscow.stalker.com ([89.175.185.228] verified) by mail.stalker.com (CommuniGate Pro SMTP 5.3.4) with ESMTP id 59096103 for CGatePro@mail.stalker.com; Thu, 11 Mar 2010 09:27:43 -0800 X-Junk-Score: 0 [] X-Cloudmark-Score: 0 [] X-Cloudmark-Analysis: v=1.1 cv=YiPzuoFXNexnu0+83hKmioclx4HCHtePwPIzoCu+UB8= c=1 sm=1 a=8nJEP1OIZ-IA:10 a=1tRMWFhBJW8A:10 a=p8McfVbdU6JIkw3P9vgflw==:17 a=0RlMkAsLAAAA:8 a=XANUecjJAAAA:8 a=Vpp7VenmAAAA:8 a=2GBTz0ixmqMU6WzLK3YA:9 a=rr46Is28XaHqEZLqIFcA:7 a=WtbSkGLMuVjXygv8yby826yYUjEA:4 a=wPNLvfGTeEIA:10 a=7ASWl4OeIh8A:10 a=rSf7D8MJFOcA:10 a=Ox7jksipLogA:10 a=p8McfVbdU6JIkw3P9vgflw==:117 X-Junk-Score: 0 [] X-SpamCatcher-Score: 0 [] Received: from [91.76.237.200] (account dimak HELO [192.168.0.6]) by mail.moscow.stalker.com (CommuniGate Pro SMTP 5.3.4) with ESMTPSA id 18414350 for CGatePro@mail.stalker.com; Thu, 11 Mar 2010 20:27:37 +0300 Message-ID: <4B992808.6040703@stalker.com> Date: Thu, 11 Mar 2010 20:27:36 +0300 From: Technical Support Organization: Stalker Labs User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: CommuniGate Pro Discussions Subject: Re: TLS and Certificates - Updated References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hello, Matthew Black wrote: > On Fri, 05 Mar 2010 23:25:26 +0300 > Technical Support wrote: >> Hello, >> >> dhazzard@yoursummit.com wrote: >>> Okay, scratch my previous post. I'll be more specific. >>> >>> As I mentioned below we have two mail servers. For TLS to function >>> properly do I need one certificate with the Common Name set to >>> xyz.com and installed on both servers? Or will this not work? >> >> The certificate common name should match the host name on which the >> server will be contacted. Say, you serve the domain xyz.com with two >> hosts >> >> $ORIGIN xyz.com >> IN MX 5 mail >> IN MX 10 smtp >> mail IN A 10.20.30.40 >> smtp IN A 10.20.30.50 >> >> The IPs 10.20.30.40 and 10.20.30.50 should be assigned in the CgPro >> configuration to CgPro Domain objects where mail.xyz.com and >> smtp.xyz.com are either names or alias names to those objects. >> >> In this case you will need certificates for mail.xyz.com and >> smtp.xyz.com, or can use a wildcard certificate *.xyz.com on both >> servers. > > > Wildcard certificates are NOT the way to go for large enterprises. They > present a whole set of security problems because some sites offer dozens > of services, each with its own certificate. Our university operates > hundreds of servers. If a wildcard certificate gets compromised, EVERY > service loses its security. > > Why can't CommuniGate figure out how to configure multiple certificates, > say one for each service (IMAP, POP, WebUser) and a different set for > each domain? Apache has been doing this for a very long time. You can create different domains with different certificates, all but one of those domains will be without accounts and set to route unknown names for mail, signal amd access to the only domain that holds the accounts. > matthew black > e-mail postmaster > california state university, long beach > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > To switch to the INDEX mode, E-mail to > Send administrative queries to -- Best regards, Dmitry Akindinov ======================================================================= When answering to letters sent to you by the tech.support staff, make sure the original message you have received is included into your reply.