> > > CN=pop.xxx.com > > CN=smtp.xxx.com > > CN=www.xxx.com > > > > That way, pop3, smtp and https can use the same certificate > and the clients > > won't complain of a name mismatch. > > How do add (or create) multiple CNs in a certificate?
I used openssl to create a root certificate and then used it again with that root to create the server certificate, with the multiple CN's. Edit the openssl.cnf on the server and in the [req_distinguished_name] add as many CommonName(s) as you with, thusly: 0.CommonName = one name 1.CommonName = another name ... You get the idea. then run openssl to generate the request, which you sign with the root cert. For pop3s your clients need to import the root (I usually point them at a web server with the same root and get them to import from there). After that, the client won't get a security warning when they try to pop their email from the server. If you want to pay money for a "real" cert, I'm not sure if you can. I would hope it's possible, you can certainly add multiple "E=" values to your DN (see my s/mime cert on this email if it hasn't been stripped). And smtp-tls seems to be oppertunistic and other than generating logs about the root, still seems to negotiate just fine. > > I would think TLS would be done on the standard POP3 port? > I was wrong, sorry. TLS can be negotiate in-band on the normal pop3 port, 110. But for outlook to use it you need to pick another port, not it's suggested 995, and setup qpopper "tls-support=alternate-port". Just what I figured out, there may be better solutions. -lee
smime.p7s
Description: S/MIME cryptographic signature
