Re: [exim] Problem with tls_certificate and multiple domains

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Heiko Schlittermann
Dátum:  
Címzett: exim-users
CC: Nospam2k
Tárgy: Re: [exim] Problem with tls_certificate and multiple domains
Please, use the list for communication, others may be interested in this
too.

Nospam2k <nospam2k@???> (Mi 16 Okt 2019 08:05:05 CEST):
> Perhaps I should go about this a different way. I am going to be hosting multiple domains. Since it seems that $tls_in_sni is returning blank and/or can be unreliable, what is the best way to handle things? To just use a default domain for handling mail? For example, use mail.myhosting.com <http://mail.myhosting.com/> for everything instead of mail.mysite.com <http://mail.mysite.com/>?


tls_in_sni *can* be blank, yes.

Yes, we use *one* MX name for all the domains we host.

That's what we do, yes. The SNI feature I'm only using, because we're in
progress renaming the MX, so I'd like to support both certs, for the old
MX name and for the new one.

I wouldn't do that for many domains, as it doesn't scale well for
millions of domains. You'd have to create a new cert for each domain
you're about to host. I'm not sure if you want to do it.

Yes, you can do it automagically, Even from within Exim. But the effort
increments, as soon as you want to publish TLSA records and such, or
wan't to obtain the certs from a public CA, or even both.

Not impossible, but maybe PITA, depending on your ressources for setup,
maintainance, monitoring and debugging.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -