On 2022 Feb 25, at 14:56, John Levine <jo...@iecc.com> wrote:
When a client does a STARTTLS on a port 25 or 587 session, or at
connection time on a port 465 session, the mail server sends back a
certificate with the server name in it. If that name does not match
the name the client is expecting, various bad things can happen
ranging from a warning message in the mail log to dropping the
connection if the server has a TLSA DNS record to identify the
certificate, or you use mta-sts (see RFCs 8460 and 8461.)
If your server has more than one name, there is a TLS feature called
Server Name Indication or SNI in which the client sends the name it is
looking for, and the server tries to find a certificate to match.
Postfix has SNI support but it is not normally turned on, and it is
your problem to get the actual certificates.
On 27.02.22 07:58, @lbutlr wrote:
Right. I was hoping to keep the previous setup and not have to change the
servers on the client systems. This is not just an MX issue, as I should
have realized when I first posted.
I don't have spare IPs to throw at this issue, so it looks like the only
reasonable solution is to have the clients change their server settings to
mail.exampl.net and have the setup be the same as the other domains.
no, simply add mail.example.com to SubjectAltNAme of
mail.example.netcertificate. let'sencrypt supports this.
Because I am that sort of person (as Viktor can confirm) I hacked SNI
into my homebrew mail server, gave it a different MX name for each of
the 100 domains it serves, and got 100 certificates from Let's
Encrypt. It works for me but other than sometimes seeing that spambots
have an odd idea of who they are talking to, I wouldn't necessarily
recommend it for anyone else.
I assume the previous host did something like this since I knew they had
many domains on single IPs and all were setup with MX records pointing to
the domain name and not the host. It seems like it may be more trouble
for one domain.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
