On Sun, Apr 24, 2022 at 08:53:25AM +0700, Olivier <olivier.nic...@cs.ait.ac.th> wrote:
> ミユナ (alice) <al...@coakmail.com> writes: > > > may I ask another question I am not sure. > > > > I have got the certificates from letsencrypt for the root domain, in > > this case it's coakmail.com > > > > since the MUA uses coakmail.com as smtp/imap servers, this has no problem. > > > > but my MX RR is: box.coakmail.com > > You definitely need the certificate for box.coakmail.com because that's > the actual server that receives all the traffic. > > Best > Olivier I don't think that's right. In general, the domain in the MX RR doesn't need to match any of the domains in the certificate. Mail servers will not check unless they've been specifically configured to do so. Unless something's changed(?). But MUAs like Thunderbird do check, so the hostname that they are configured to connect to should match a domain in the certificate. That's happening in this case, so it should be fine. > > I know MX only accepts messages on port 25 (I am right here?), Yes. The mail server might accept mail on other ports (465/587), but not because of the MX record. That's because of MUAs configured to send mail via that server. > > so the > > certs issued to root domain will have no side effect for the incoming > > messages from other MTAs? I'm fairly sure that's correct. MTAs generally don't care if the MX domain doesn't match the certificate on port 25. But MUAs generally do care if the hostname they are configured to connect to doesn't match the certificate on whatever ports they connect to: e.g., 465/587/993/995. At least, I've seen that with Thunderbird. > > Thanks. cheers, raf
