Dennis Steinkamp:
> Hi,
>
> another weekend and another chance to spend a little bit of time with
> postifx. :)
> Today i tried to get tls to work and there is one thing (again) that i
> probably didn`t do right, or is at least confusing to me.
>
> Lets assume the FQDN of the server postfix is installed on is,
> myserver.mydomain.de, myhostname in main.cf is set to
> myserver.mydomain.de either.
> I ve set an A record for myserver.mydomain.de in the DNS configuration
> of my domain.de, that obviously points to the public IP of the server.
> The PTR points to myserver.mydomain accordingly.
> I created a subdomain (e.g epicmail.mydomain.de) in the DNS
> configuration, which is the actual mail domain i wanna use for postfix
> (virtual_mailbox_domain)
> I set the MX record for epicmail.mydomain.de to mx.myserver.mydomain.de,
> the MX points to an A record which points again to the public ip of my
> server, pretty much standard so far. (i hope)
>
> I created a certifcate signing request. I made sure that the common name
> of the cert matches the FQDN of the server where postfix is running on.
> (myserver.mydomain.de) and set everything up in postfix.
> Let me quote something about "how tls works" from the book of postifx
> here, to see where i am going with this:
>
> ...
> "the client verifies the servers certificate by comparing the
> certificates CN string to the servers DNS hostname"
> ...
>
> I went to checktls.com and asked it to verify the tls communication for
> e.g den...@epicmail.mydomain.de.
> TLS works fine and the results seem to confirm that, but there is one
> warning message that says:
>
> "Cert Hostname DOES NOT VERIFY (mx.myserver.mydomain.de !=
> myserver.mydomain.de)
> So email is encrypted but the host is not verified"
>
> Is CheckTLS.com just insisting that the CN of the certificate should
> match the mx record of the mail domain in question or is this genereally
> expected?
Regardless of what CheckTLS.com says, what is the server name in
the MX record? That is the name that needs to match the certificate.
If you have
example.com IN MX 10 mail.example.com
Then by default Postfix will match the certificate against mail.example.com.
Wietse
> Of course i could easily change the mx record to myserver.mydomain.de to
> solve this issue but that shouldn`t be neccessary, right?
>
> Dennis
>
>
>
