On Thu, Feb 20, 2014 at 10:56:14AM -0800, Marc MERLIN wrote:
> Thanks for catching that. Looks like when I was debugging my earlier
> problem ssl problem a couple months back, I put the wrong cert back in place.
>
> Out of curiosity, can you do a star certificate (*.merlins.org) for smtp
> servers, or you're better off having one for each server?
It makes no difference. You can use whatever names you want, SMTP
TLS is by default unauthenticated. You'll likely even get away
with a certificate that is "anonymous", that is has an empty subject
name and no subjectAltName extension, but that's pushing your luck,
some client implementations may choke...
The best practice is to use one per-server with the certificate name
matching the server name. Since they are self-signed, it is no harder
(same $0 cost) than using the same certificate on multiple servers.
# umask 077
# newkeys="key+cert-$(date +%Y-%m).pem"; rm -f "$newkeys"
# openssl req -new -newkey rsa:2048 -nodes -keyout /dev/stdout \
-x509 -subj "/CN=$(uname -n)" -days 3650 >> "$newkeys"
# ... update MTA configuration to load key/cert from "$newkeys" ...
--
Viktor.
