On Sun, Jun 19, 2022 at 03:12:23PM +0200, Maurizio Caloro wrote:
> One more point, if checking with tls-check the domains: caloro.ch
> fine, calm-ness.ch are still error remaining. Configure also the local
> DNS Server with me two domains, but always finish with this.
Your mistake is to use different MX hostnames for the two domains.
Instead of:
caloro.ch. IN MX 10 nmail.caloro.ch.
calm-ness.ch. IN MX 10 nmail.calm-ness.ch.
configure your MX records as:
caloro.ch. IN MX 10 nmail.caloro.ch.
calm-ness.ch. IN MX 10 nmail.caloro.ch.
> tlsCheck-Calm-ness.ch -> Cert Hostname DOES NOT VERIFY (nmail.calm-ness.ch
> != nmail.caloro.ch | DNS:nmail.caloro.ch)
> tlsCheck-Calm-ness.ch -> So email is encrypted but the host is not verified
By default, STARTTLS in SMTP is unauthenticated opportunistic TLS.
Having a non-matching hostname in the certificate is tolerated by the
vast majority of sending systems. "Valid" certificates are only
required if you configure DANE-TA(2) (trust anchor) TLSA records:
https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.2
or publish an MTA-STS policy:
https://datatracker.ietf.org/doc/html/rfc8461#section-3
--
Viktor.
