On Sun, Apr 24, 2022 at 09:23:00AM +0800, ミユナ (alice) wrote: > since the MUA uses coakmail.com as smtp/imap servers, this has no problem. > > but my MX RR is: box.coakmail.com
If you're using an https://mailinabox.email appliance, a suitable certificate will be obtained automatically. If not, perhaps consider doing so, it is a good choice for non-experts. > I know MX only accpets messages on port 25 (I am right here?), so the > certs issued to root domain will have no side effect for the incoming > messages from other MTAs? Unless you're doing DANE or its runt sibling MTA-STS any certificate will do, senders will generally ignore its content. A small number of sending systems implement unauthenticated opportunistic TLS badly, and abort TLS handshakes when the certificate name does not match the MX hostname. They typically then fall back to clear text. Bottom line, a matching name in the certificate is desirable, but typically optional. -- Viktor.
