> On Oct 16, 2019, at 3:41 PM, Evgeniy Berdnikov via Exim-users <exim-users@???> wrote:
>
>> So, how do I configure exim so mail can still be accessed via tls and an account can be created without any complaints about certificates from Apple Mail?
>
> It sounds as problem is in your Mac Mail, because neither Exim no Dovecot
> require specific host names for TLS (at least by default). So you should
> configure your Mac Mail client to use exactly those DNS names for SMTP
> and IMAP/POP3 that are exposed in server certificates.
That's the simplest approach to implement server-side. Anything else
requires complication provisioning of multiple certificate chains and
SNI. The cost is that the IMAP and SUBMIT (outbound SMTP) servers have
to be the same for all the domains, i.e. the mail clients need to be
configured to use a fixed pair of server names, regardless of the
user's mail domain.
If you have many users, and require the flexibility to move their
mail servers independently of each other, then you're forced to
deploy SNI on any servers that handle more than one of these
domains.
Exim has supported SNI for a while. Correctly configured, it
should work.
--
Viktor.
