Re: [Exim] SSL certificates, mail, and hardware load balance…

Top Page
Delete this message
Reply to this message
Author: Donald Thompson
Date:  
To: exim-users
Subject: Re: [Exim] SSL certificates, mail, and hardware load balancers

On Mon, 15 Oct 2001, Tabor J. Wells wrote:

> Sorry for the slightly off-topic post, but I'm wondering if any of you are
> doing STARTTLS on servers that are behind a hardware load balancer.


No never done anything quite like that, but it sounds cool.

> The situation is that I have 3 real servers, call them server1, server2,
> and server3 and two virtual ips that each load balance between all three
> of them, relay1 and relay2. My domain has two MX records, at preference 10
> and 20 to relay1 and relay2 respectively
>
> I created my certificates as specified in the exim docs and set the cn to
> each as server1.example.com, server2.example.com, and server3.example.com
>
> Now here's the problem. At least one mail client (Eudora 5.1 *spit*) will
> not do STARTTLS because even after you specifically add the certificate as
> trusted, it will not use it since the cn in the certificate doesn't
> match the DNS name they connected to.


I may be missing something (and probably am), but couldn't you use the
same certificate on all servers? If the clients think they are connecting
to mail.foo.com, and assuming the servers are ok with being called
mail.foo.com, make a certificate that says its for the machine
mail.foo.com and use the same certificate on all machines. Theres nothing
wrong AFAIK with using a FQDN on the certificate that is actually a CNAME
DNS record for the host.

> Other clients and servers seem to be handling it fine, however. So now
> this has me worried about whether or not I could be causing problems with
> mail from other servers (I'm not really concerned about my Eudora users).
>
> Does anyone have any comments about this kind of setup and how concerned I
> should be about other servers not handling this properly.


Wouldn't worry about it at all. Grep through your log with something like
'grep -i "after starttls"' and look for consistent mail delivery failures
from the same host. Even then, its a good chance theres something else
wrong (very possibly on the remote side) rather than your certificate.

Most remote servers should be more concerned with creating an encrypted
transfer rather than verifying host and certificate authenticity. Not to
say that there aren't a few out there are foolish enough to attempt to do
so.

- -Don

>
> Thanks,
>
> Tabor
> --
> --------------------------------------------------------------------
> Tabor J. Wells                                     twells@???
> Fsck It!                 Just another victim of the ambient morality

>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>