Re: [mailop] Certificate Question
it is typical for shared hosting but in my case, its useful for splitting different departments of the same company On 15 Oct 2022 18:28:47 -0400 John Levine via mailop wrote: > It appears that Mary via mailop said: > > > >I've never heard of SmarterMail server, I use dovecot. > > > >Dovecot allows me to setup 100+ domains on the same server, each with its > >own certificate, thus always giving a valid TLS connection > >without any certificate warnings. > > Does your IMAP server really have 100+ different names? That seems > like a lot of effort for little benefit. > > R's, > John > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
Hey John, On 16.10.22 00:28, John Levine via mailop wrote: It appears that Mary via mailop said: I've never heard of SmarterMail server, I use dovecot. Dovecot allows me to setup 100+ domains on the same server, each with its own certificate, thus always giving a valid TLS connection without any certificate warnings. I've just learned that postfix 3.4 allows SNI based certificates… Does your IMAP server really have 100+ different names? That seems like a lot of effort for little benefit. imap.customer1.example imap.customer2.example imap.customer3.example imap.customer4.example ... Some day you don't want to explain "please use imap.provider.example to avoid certificate warnings" to each customer anymore. Also they usually want to use their own domain for everything. Regards, Thomas -- Thomas Walter Datenverarbeitungszentrale FH Münster - University of Applied Sciences - Corrensstr. 25, Raum B 112 48149 Münster Tel: +49 251 83 64 908 Fax: +49 251 83 64 910 www.fh-muenster.de/dvz/ smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
It appears that Grant Taylor via mailop said: >So MTA-to-MTA probably doesn't mater much if at all. That used to be true but now your life will be easier if your cert's name matches the MTA's name. That's the name of the mail host, not the names of the mail domains it handles. If you are the sort of person who gives his MTA multiple names via multiple MX'es, it is possible to make the certs work for that but I wouldn't recommend it. > However MUA-to-MTA probably does matter. Yes, the certs for POP, IMAP, and submission better have the right name. A free Let's Encrypt cert is fine for all of these. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
It appears that Mary via mailop said: > >I've never heard of SmarterMail server, I use dovecot. > >Dovecot allows me to setup 100+ domains on the same server, each with its own >certificate, thus always giving a valid TLS connection >without any certificate warnings. Does your IMAP server really have 100+ different names? That seems like a lot of effort for little benefit. R's, John ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
On 10/14/22 10:41 AM, ml+mailop--- via mailop wrote: Almost no MTA cares about the certificate content unless explicitly configured to do so. Emphasis on MTA. I've witnessed Thunderbird, and heard tell of other /MUAs/, caring about the CertSubject and AltNames matching the name used to connect to said MTA. So MTA-to-MTA probably doesn't mater much if at all. However MUA-to-MTA probably does matter. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
Ak ok I see, thanks! -Original Message- From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of ml+mailop--- via mailop Sent: October 14, 2022 12:42 PM To: mailop@mailop.org Cc: ml+mai...@esmtp.org Subject: Re: [mailop] Certificate Question "What's the problem you are trying to solve?" Almost no MTA cares about the certificate content unless explicitly configured to do so. Some check the names (CertSubject or AltNames), and some are "misconfigured" to require a cert signed by some specific CAs. Testing with just one or two other systems won't tell you much. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
"What's the problem you are trying to solve?" Almost no MTA cares about the certificate content unless explicitly configured to do so. Some check the names (CertSubject or AltNames), and some are "misconfigured" to require a cert signed by some specific CAs. Testing with just one or two other systems won't tell you much. ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
Re: [mailop] Certificate Question
I've never heard of SmarterMail server, I use dovecot. Dovecot allows me to setup 100+ domains on the same server, each with its own certificate, thus always giving a valid TLS connection without any certificate warnings. On Fri, 14 Oct 2022 10:56:42 -0400 Michael Ellis via mailop wrote: > Ok this ESP guy is an excellent programmer but a bit lacking in all else. > > Can anyone diagnose his issue? Its not my wheelhouse either? > > Do you know about certificates for mail servers? I’m trying out the > SmarterMail server and had some confusion about how to configure secure > access. I assumed SmarterMail would allow a certificate per domain but they > don’t. Instead they have certificates based on the protocol. I stuck a > goolara.com certificate in and then Outlook desktop asked if I wanted to use > the certificate when I tried to connect via IMAP SSL (993). I allowed it, but > this isn’t something I experienced when using on-line mail servers, so I > wonder how they handle secure connections without giving that certificate > warning. Do you know? > > Also, the sending side is confusing me some. Google is reporting that the > connection was secure and doesn’t give that annoying warning about not being > encrypted, but I’m sending for a domain that is different than my certificate > so I’m not sure why that is allowed. I have configured my Symphonie software > to use STARTTLS and encrypt the connection but I only do it if I’ve received > a SSL cert from the customer for that domain. But is that not necessary? Can > the connection be secure with any domain’s certificate and still be accepted > by the ISPs? > > Any help gratefully accepted > > ___ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
[mailop] Certificate Question
Ok this ESP guy is an excellent programmer but a bit lacking in all else. Can anyone diagnose his issue? Its not my wheelhouse either? Do you know about certificates for mail servers? I’m trying out the SmarterMail server and had some confusion about how to configure secure access. I assumed SmarterMail would allow a certificate per domain but they don’t. Instead they have certificates based on the protocol. I stuck a goolara.com certificate in and then Outlook desktop asked if I wanted to use the certificate when I tried to connect via IMAP SSL (993). I allowed it, but this isn’t something I experienced when using on-line mail servers, so I wonder how they handle secure connections without giving that certificate warning. Do you know? Also, the sending side is confusing me some. Google is reporting that the connection was secure and doesn’t give that annoying warning about not being encrypted, but I’m sending for a domain that is different than my certificate so I’m not sure why that is allowed. I have configured my Symphonie software to use STARTTLS and encrypt the connection but I only do it if I’ve received a SSL cert from the customer for that domain. But is that not necessary? Can the connection be secure with any domain’s certificate and still be accepted by the ISPs? Any help gratefully accepted ___ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop