Re: [exim] Problem with tls_certificate and multiple domains

Top Page
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] Problem with tls_certificate and multiple domains

Nospam2k <nospam2k@???> (Mi 16 Okt 2019 08:05:05 CEST):
>> Perhaps I should go about this a different way. I am going to be hosting multiple domains. Since it seems that $tls_in_sni is returning blank and/or can be unreliable, what is the best way to handle things? To just use a default domain for handling mail? For example, use mail.myhosting.com <http://mail.myhosting.com/> for everything instead of mail.mysite.com <http://mail.mysite.com/>?


I can understand that you wanne use the domains own TLS Cert, but SMTP
TLS isn't about authentity, it's about encryption.

The cert, your mailserver presents, must match the name of the hostname
your mailserver has and which he presents to others. It's 100% ok to use
the hosts cert in TLS, as long as you have that name in your MX. Example:

mailserver.mx.    IN A 1.2.3.4

domain.at.server. IN A 1.2.3.4
domain.at.server. IN MX 10 mailserver.mx

So you can use the TLS Cert of mailserver.mx as long as you mailserver
says he is mailserver.mx. This makes things a lot easier.

As Heiko has already pointed out, you need such host Cert anyway. What
do you do, when someone presents a domainname, you host, but you don't
have a cert for? What now?

If all your mx entries point ot the servers hostname, you don't need to
even think about SNI anymore.

If the original goal was, to make domain transfers between servers
easier, it's not. If you change the IN A of the domain, you can also
change the MX of it at the same time. Nothing gained or lost here ;)

Keeping your mailserver's config simple, avoids unforseen problems.

Best regards,
Marius