> On Jan 15, 2018, at 11:01 PM, Benny Pedersen <m...@junc.eu> wrote:
>
> common praksis is imap.example.org and smtp.example.org with a wildcard
> signed cert for *.example.org
The rule is: there are no rules.
TLS in SMTP is largely unauthenticated opportunistic TLS, and the
content of the certificate is ignored by most peers, there just
needs to be a certificate for interoperability reasons, since
many peers don't enable anon-DH ciphersuites.
Thus the certificate name can be anything, but matching the MX hostname
is best. Wildcard certificates are best avoided simply because they are
likely to be misused for multiple services, increasing opportunities for
cross-protocol attacks or creating a single point of failure when cert
rotation is performed across all service instances that share the cert.
--
Viktor.
