On 05-19-2021 4:52 pm, Viktor Dukhovni wrote:
Now the client connects to submission.example.com and is being given
an certificate
from balanced1.example.com. Same problem exist.
Why would you get a certificate for the internal name? That's
clearly silly. Get a certificate for the external name.
That is the external name. You dont like balanced1? Change it. It
doesn't matter what it is right? To make a cert there has to be one FQDN
and it might as well be the hostname. Fine delete balanced1 and lets
call it foobar.example.com. So foobar.example.com is the hostname and
fQDN. Certbot uses that FQDN for issuing the certificate.
The postfix server, hostname foobar.example.com, has a certificate
issued to it as foobar.example.com.
The client still connects to submission.example.com, is proxied layer 4
to foobar.example.com where postfix is and postfix uses that certificate
issued to foobar.example.com and gives that to the client.
submission.example.com:587 does not match crt foobar.example.com, same
problem.
What am i missing?