Hi,
another weekend and another chance to spend a little bit of time with
postifx. :)
Today i tried to get tls to work and there is one thing (again) that i
probably didn`t do right, or is at least confusing to me.
Lets assume the FQDN of the server postfix is installed on is,
myserver.mydomain.de, myhostname in main.cf is set to
myserver.mydomain.de either.
I ve set an A record for myserver.mydomain.de in the DNS configuration
of my domain.de, that obviously points to the public IP of the server.
The PTR points to myserver.mydomain accordingly.
I created a subdomain (e.g epicmail.mydomain.de) in the DNS
configuration, which is the actual mail domain i wanna use for postfix
(virtual_mailbox_domain)
I set the MX record for epicmail.mydomain.de to mx.myserver.mydomain.de,
the MX points to an A record which points again to the public ip of my
server, pretty much standard so far. (i hope)
I created a certifcate signing request. I made sure that the common name
of the cert matches the FQDN of the server where postfix is running on.
(myserver.mydomain.de) and set everything up in postfix.
Let me quote something about "how tls works" from the book of postifx
here, to see where i am going with this:
...
"the client verifies the servers certificate by comparing the
certificates CN string to the servers DNS hostname"
...
I went to checktls.com and asked it to verify the tls communication for
e.g den...@epicmail.mydomain.de.
TLS works fine and the results seem to confirm that, but there is one
warning message that says:
"Cert Hostname DOES NOT VERIFY (mx.myserver.mydomain.de !=
myserver.mydomain.de)
So email is encrypted but the host is not verified"
Is CheckTLS.com just insisting that the CN of the certificate should
match the mx record of the mail domain in question or is this genereally
expected?
Of course i could easily change the mx record to myserver.mydomain.de to
solve this issue but that shouldn`t be neccessary, right?
Dennis
