SSL certificates per Domain #246
Comments
|
Wouldn't you need a dedicated IP address for each certificate? |
|
Do you know which clients work well with SNI? Other mail servers (workaround: you could use SNI only on port 587/465)? Since letsencrypt allow multidomain-certs, it's only a cosmetic thing if someone checks the certificate manually (how do you check the ssl cert in a mail application?). For browser access you could still use a subdomain (webmail.example.org) using SNI. |
|
If the client is not sending an SNI hostname, then there is a 'fallback' to a certificate which has all hostnames in the SAN field. Or you could see it as a 'default' as long as the client doesn't send SNI. Actually the only really needed config for exim is in the 2 lines from my PR and this has no negative impact if there is only one certificate using SANs. I don't know how people normally get/deploy there certificates - no matter of one cert per domain or a single cert with SANs. But a script like this will do the automation of the crucial process of adding/removing/renewing domains. BTW: I didn't test the script with IPv4 as IPv6 is easier on a NATed virtualisation environment. But i think there is a bug or a problem when the server is behind a NAT. I'll look into this later. |
The idea is that we have different SSL certs. Eg. one per domain.
Normally i get my certificates with certbot from letsencrypt.
For some people it's confusing to see a certificate from a different domain on connecting to the mailserver.
I don't know if or how easily this could be done.
Let me know if you think this is completely stupid.
The text was updated successfully, but these errors were encountered: