On 2022 Feb 25, at 14:56, John Levine <jo...@iecc.com> wrote:
> When a client does a STARTTLS on a port 25 or 587 session, or at
> connection time on a port 465 session, the mail server sends back a
> certificate with the server name in it. If that name does not match
> the name the client is expecting, various bad things can happen
> ranging from a warning message in the mail log to dropping the
> connection if the server has a TLSA DNS record to identify the
> certificate, or you use mta-sts (see RFCs 8460 and 8461.)
>
> If your server has more than one name, there is a TLS feature called
> Server Name Indication or SNI in which the client sends the name it is
> looking for, and the server tries to find a certificate to match.
> Postfix has SNI support but it is not normally turned on, and it is
> your problem to get the actual certificates.
Right. I was hoping to keep the previous setup and not have to change the
servers on the client systems. This is not just an MX issue, as I should have
realized when I first posted.
I don't have spare IPs to throw at this issue, so it looks like the only
reasonable solution is to have the clients change their server settings to
mail.exampl.net and have the setup be the same as the other domains.
> Because I am that sort of person (as Viktor can confirm) I hacked SNI
> into my homebrew mail server, gave it a different MX name for each of
> the 100 domains it serves, and got 100 certificates from Let's
> Encrypt. It works for me but other than sometimes seeing that spambots
> have an odd idea of who they are talking to, I wouldn't necessarily
> recommend it for anyone else.
I assume the previous host did something like this since I knew they had many
domains on single IPs and all were setup with MX records pointing to the domain
name and not the host. It seems like it may be more trouble for one domain.
--
Angie, Angie, when will those clouds all disappear? Angie, Angie,
where will it lead us from here? With no lovin' in our soul and
no money in our coats You can't say we're satisfied But Angie,
Angie--You can't say we never tried
