SSL certificate and incoming/outgoing mail server domain setting


#1

Hi,

In a previous thread I asked about setting up a third-party SSL certificate for a single domain on one of Bytemark’s machines.

https://forum.bytemark.co.uk/t/adding-third-party-ssl-certificate-to-one-domain/2815

This went pretty much to plan, but an issue now arises with the email.

Generally, we’ve set up email software to use an incoming and outgoing server name of the base machine name (ie example.vm.bytemark.co.uk)

This works fine for Lets Encrypt, but the issue arises now one domain has its own certificate - there’s an obvious mismatch between the domain and the machine.

Can my client just use the domain name in question as the incoming and outgoing server, or is there something else we need to do?


#2

Well, the SMTP and IMAP servers are still going to be using the same certificates they always did. Unless you want to blaze a trail and work out how to get both those to support SNI.


#3

So is there any way to have SMTP and IMAP for this domain be served by the domain itself?

The issue is the domain’s email now seems to be in limbo — there’s no Let’s Encrypt certificate any more because of the paid-for SSL certificate, but can’t send mail securely using the domain certificate as it’s using the machine name.

I don’t think an additional IP address, or even this domain on a machine of its own, can solve this issue, as I’m trying to understand it.


#4

Thinking about it, I suppose the third-party certificate is irrelevant as that’s just for securing web data between the server and end user, whereas SSL on email a separate issue.

The client was getting a mismatch error on their domain when trying to set up email on a tablet, and citing LetsEncrypt as the certificate provider.

Should the client proceed to trust this? I thought with SNI these mismatch issues for email had been resolved.


#5

Well, yes, actually a second IP address could work. That’s how web sites worked before SNI was implemented. You’d have a server process per site, listening on its own IP address, each with its own configuration file, pointing to a separate SSL certificate.

And you could do that with Exim: have a separate Exim configuration per IP address, each serving a particular domain, and with its own SSL cert. But it’s probably easier to hack the Exim configuration to use SNI. Exim does support SNI, so it is feasible. It’s just that we’ve not tried it with Symbiosis.


#6

Thanks for the reply.

The client is happy enough to use the Lets Encrypt SSL connection for their email. Operationally it doesn’t have any issues — I jumped rather too quickly when they sent me messages about machine mismatches but I think it’s all resolved itself now.