On 07/16/2013 05:30 AM, Ben Johnson wrote:
If your clients insist that a mail server is only professional if the TLS
session has their domain name written on it, then give them what they want at
the price it costs to implement it.
Your position is perfectly reasonable, and is more or less the position
that I've taken on the matter. I just wanted to be sure that there isn't
some panacea that I had overlooked.
In order to give our clients what they want, what are our choices?
Probably the best option is to go old tech here. Get a separate IP for
each hostname that a client wants to connect to and set up separate
listeners in master.cf for each of those IPs with the appropriate TLS
options. Then let the clients buy their own cert and provide it to you
to use on the server. Up to you to come up with the additional pricing
for all of this. The extra dedicated IP is the first and most obvious
cost, the rest is administrative.
Keep in mind that you'll have to configure dovecot (or whatever you use
for IMAP/POP3) to listen on these other IPs and use those
customer-supplied certs as well.
Personally I would ramp up the extra fee even more to account for the,
"I don't want to do this really stupid unnecessary vain thing" reason.
I would make sure the client knows that they are just spending extra
money to satisfy their own vanity and if they still want to go ahead
then do it for them.
Peter
