Re: [exim] Problem with tls_certificate and multiple domains

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] Problem with tls_certificate and multiple domains
On Wed, Oct 16, 2019 at 10:04:16PM +0200, Cyborg via Exim-users wrote:

> Am 16.10.19 um 19:25 schrieb Nospam2k via Exim-users:
>
> > I want to use
> > mail.hosteddomainone.com <http://mail.domainone.com/> for the mail
> > server names and not maindomain.com <http://maindomain.com/> for
> > the end user.
>
> You will never know what to provide, as the servername is part of the
> initial greeting HELO. Your setup will fail every time, because it's too
> late when you find out what to use. See below why .


This is false, neither the name in the 220 greeting (banner) nor
the initial line of the EHLO response does not preclude the server
from presenting a different name in its certificate, possibly based
on SNI.


> > So, how do I configure exim so mail can still be accessed via tls and
> > an account can be created without any complaints about certificates from
> > Apple Mail?
>
> AppleMail and other Clients do two checks:
>
> a) check for the MX record of your domain and that the server uses this
> as hostname.


False, only MTAs look at MX records, IMAP clients and SUBMIT clients
do not.

> And if you can't find out, why your mailclient uses a specific name as
> server, check the autodiscover result for the domain,
> you may find a hardcoded servername there.


For all but the largest email providers (Google, Microsoft, ...),
there is little use of "autodiscover", the user fills in the IMAP
and SMTP server names. The closest to that is:

    https://tools.ietf.org/html/rfc6186


IIRC it is not widely implemented.

-- 
    Viktor.