Hi Taco,
Welcome back, it's good to "see" you again.
In the past I had all my customers connect to mail. followed by their
own domain name and when secure smtp and pop3/imap was not active that
worked fine.
But since secure smtp (SSL or STARTTLS) or secure pop3/imap is the
standard, the customers get confronted with a certificate warning as
the server will respond with the server’s hostname in the certificate.
I have been thinking about including all the mail.* hostnames in the
’server’ certificate, but LE certificates can only hold up to 100
hostnames, so on servers with more than 100 domains/vhosts, this
approach does not work well.
So I am wondering how others do this.
Right. On our fleet of legacy (5209R) BlueOnyx servers, we have
instructed customers to use the server hostname to make a connection.
In other words, if they are hosted on, for instance, web1.domain.tld, we
simply place in their instructions to use web1.domain.tld in the
incoming/outgoing hostname.
This isn't 100% perfect, since if we migrate the domain to another
server (ie: web2.domain.tld) then the certificate will fail again.
However, we don't typically do this, and if we do migrate VSITEs to
another server, it's usually to a direct replacement so the hostname
will stay the same. (This would occur if we upgraded from 5209R to 5210R.)
Beginning with 5210R, it's possible to use SNI:
https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-Email-and-Maildir
You mention LE not having the ability to use > 100 hostnames, and my
suggestion might be to cap the number of VSITEs hosted on a particular
server. Since nearly everything we do is virtualized these days,
that's a good way for us to not have too many eggs in a single basket.
These approaches may not be a one-size-fits-all, but it gives some
insight on what we're doing.
--
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
