DNS records, mail servers, and domains

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DNS records, mail servers, and domains

Tom Browder
I have been soliciting help from this list for some time now in the process of planning my new single-server, multi-domain web and mail server, with domains 'domain1.tld1' through 'domainN.tldN'.

I have been experimenting with Lets Encrypt clients with mixed success, and, as of this morning, think I have all the bugs worked out for all my domains.  In the example use of the client it shows creating a single server cert for 'foo.com www.foo.com smtp.foo.com'.

I don't pretend to know all the details yet, but I believe that I must have only one MTA on the server and that it must have a single name which is the same for the MX record for each of the multiple domains.  My planned name is 'mail.domain1.tld1'.

Now my question:  is there any future benefit to having tls certs for a host name of "smtp.domain.tld" for each "domain.tld" when all domains will have the same mail server?

Thanks.

-Tom
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS records, mail servers, and domains

Viktor Dukhovni

> On Jul 26, 2017, at 10:28 AM, Tom Browder <[hidden email]> wrote:
>
> Now my question:  is there any future benefit to having tls certs for a host name of "smtp.domain.tld" for each "domain.tld" when all domains will have the same mail server?

No, for inbound mail a single MX hostname shared across all hosted
domains and an associated shared name in the certificate is best.

If you're also doing port 587 submission, and/or imap then it sometimes
makes more sense to have per-domain certificates.  I've still not had
the time to implement support for server-side SNI in Postfix, so multiple
certificates for submission are not well supported in Postfix.

I don't quite understand how service providers go about obtaining
legitimate certificates for client domains they don't control.
If all the domains are yours, a single shared name for the submission
service is again simpler.

--
--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS records, mail servers, and domains

Tom Browder

On Wed, Jul 26, 2017 at 10:08 Viktor Dukhovni <[hidden email]> wrote:
> On Jul 26, 2017, at 10:28 AM, Tom Browder <[hidden email]> wrote:
> Now my question:  is there any future benefit to having tls certs for a host name of "smtp.domain.tld" for each "domain.tld" when all domains will have the same mail server?

No, for inbound mail a single MX hostname shared across all hosted
domains and an associated shared name in the certificate is best.
If you're also doing port 587 submission, and/or imap then it sometimes
makes more sense to have per-domain certificates.  I've still not had
the time to implement support for server-side SNI in Postfix, so multiple
certificates for submission are not well supported in Postfix.

Okay, Viktor, thanks, I think I understand a bit.  Given the present state of Postfix, does this sound reasonable for the single server:

1. each domain with a webserver will have its own server cert (all webservers use the same ip address)

2. the mail server has its own server cert and a unique ip address

3. in case I want to use remote smtp access from my local host, I will have another address and server cert for it, also on its own ip address

-Tom
Loading...