On Thu, Oct 20, 2011 at 03:40:57PM +0200, Jan-Frode Myklebust wrote: > I'm considering if I should enable opportunistic TLS on our smtp > gateways. Our gateways are known by several DNS names, so I think it > will be difficult to use certificates signed by a "reputable" CA. > > It seems safe enough to enable smtp_tls_security_level=may, but how > do other mailservers behave if we enable smtpd_tls_security_level=may > and offer self signed certs with possibly wrong name compared to what > the MX-records are pointing to ? > > > -jf >
I would think that a SAN cert with all the names of the gateways listed should work and is available from most "reputabble" CA's. Ken
