Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter: > Rainer Dorsch wrote: > > Hi, > > > > I am just wondering how a efficient setup for TLS/DNS for exim looks like: > > > > Right now I have an A entry in the DNS server for smtp.<domain> and a > > letsencrypt certificate as well. > > > > If I setup a new server and call it SMTP2, I need to reconfigure this in > > all my email clients. If I install the SMTP certificates, testing is > > somewhat limited, since the DNS entry still points to another server and > > I would need to fake this. > > > > Does anybody know if I can have a certificate for <hostname>.<domainname> > > and use for smtp a CNAME? > > > > The advantage I would see is that I can have a fully functional config and > > with disabling the SMTP name on the old system and changing the CNAME in > > the DNS system, I could be done. > > > > Does anybody now if the standard email clients can handle the situation in > > which them get as SMTP server a cname and as certificate the <hostname> > > the > > SMTP cname points to? > > I think you're overcomplicating it. > > Your domain can and should have two or more MX records, with > different priority levels. The MX records don't even have to > point to names in your domain. > > Since you're using Let's Encrypt, certificates are free. So, > for each mail server, set up an A and/or AAAA record. Add those > to the MX records for your domain. Have LE produce certificates > for the mail servers under the names they have assigned. > > Any mail sender will try each of your MX records, stopping when > it gets to a working entry. Some spammers will try in reverse > order, hoping that you don't have anti-spam measures on your > secondary mail server.
Thanks, Dan, for your quick reply. I was not concerned about incoming mail to my domain using the MX record. I was more concerned about the outgoing server configured in the email clients and used to send main from my domain (at least so far I did not understand that they can make use of the MX record). Thanks Rainer -- Rainer Dorsch http://bokomoko.de/
