[Exim] SSL certificates, mail, and hardware load balancers

Top Page
Delete this message
Reply to this message
Author: Tabor J. Wells
Date:  
To: exim-users
Subject: [Exim] SSL certificates, mail, and hardware load balancers
Sorry for the slightly off-topic post, but I'm wondering if any of you are
doing STARTTLS on servers that are behind a hardware load balancer.

The situation is that I have 3 real servers, call them server1, server2,
and server3 and two virtual ips that each load balance between all three
of them, relay1 and relay2. My domain has two MX records, at preference 10
and 20 to relay1 and relay2 respectively

I created my certificates as specified in the exim docs and set the cn to
each as server1.example.com, server2.example.com, and server3.example.com

Now here's the problem. At least one mail client (Eudora 5.1 *spit*) will
not do STARTTLS because even after you specifically add the certificate as
trusted, it will not use it since the cn in the certificate doesn't
match the DNS name they connected to.

Other clients and servers seem to be handling it fine, however. So now
this has me worried about whether or not I could be causing problems with
mail from other servers (I'm not really concerned about my Eudora users).

Does anyone have any comments about this kind of setup and how concerned I
should be about other servers not handling this properly.

Thanks,

Tabor
-- 
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality