Am 20.10.2011 16:09, schrieb Jan-Frode Myklebust: > On Thu, Oct 20, 2011 at 08:44:03AM -0500, k...@rice.edu wrote: >> >> I would think that a SAN cert with all the names of the gateways >> listed should work and is available from most "reputabble" CA's. > > Yes, you're right, and then there are cheap wildcard certs too -- but > that adds maintenance. Will need to be renewed ever X years, etc.. and > might lead me to think this is more effort than what it's worth to > enable TLS for incoming messages. > > Hmm, checking gmail: > > % openssl s_client -starttls smtp -crlf -connect gmail-smtp-in.l.google.com:25 > <snip> > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mx.google.com > <snip> > ehlo me > 250-mx.google.com at your service,.. > > Should the cert match the MX record or postfix' $myhostname ? I was > expecting it to match the MX record..
but why in the world are different hostnames configured? take "mail.yourdomain.tld" and use it EVERYWHERE * hostname * mx-records for all domains * ssl-cert * client-configs it is a big mistake to provide every customer with "mail.hisdomain.tld" and producing only overhead by maintain dns-records and documentations for what reason?
signature.asc
Description: OpenPGP digital signature
