On Thu, Oct 20, 2011 at 08:44:03AM -0500, k...@rice.edu wrote: > > I would think that a SAN cert with all the names of the gateways > listed should work and is available from most "reputabble" CA's.
Yes, you're right, and then there are cheap wildcard certs too -- but that adds maintenance. Will need to be renewed ever X years, etc.. and might lead me to think this is more effort than what it's worth to enable TLS for incoming messages. Hmm, checking gmail: % openssl s_client -starttls smtp -crlf -connect gmail-smtp-in.l.google.com:25 <snip> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com <snip> ehlo me 250-mx.google.com at your service,.. Should the cert match the MX record or postfix' $myhostname ? I was expecting it to match the MX record.. -jf
