SSL/TLS cert for multiple domains?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

SSL/TLS cert for multiple domains?

Post by ras07 » 2019-04-15 05:52

Do you need to have a multi-domain (SAN) cert if your hmailserver instance supports multiple email domains (and answers to multiple domain names in MX records)? I always assumed yes, and I've always had SAN certs. But I recently added a new domain to my mail server and forgot all about the certificate, and it doesn't appear to have caused any ill effects.

It seems odd that a mail client or an MTA wouldn't complain that a cert was issued to a domain other than what it thinks it's talking to.

Or is TLS support in SMTP (and IMAP) specifically designed to facilitate only encryption, and not authentication? (Although if that's the case, I'm not sure what the point would be for mail clients to complain when a cert expires - which they definitely do.)

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL/TLS cert for multiple domains?

Post by mattg » 2019-04-15 08:40

ras07 wrote:
2019-04-15 05:52
Or is TLS support in SMTP (and IMAP) specifically designed to facilitate only encryption, and not authentication?
Correct

You need a cert that matches the 'local host name' in SMTP >> Delivery of email and that is it.

Ideally your domains should each point to the same FQDN as an MX record, and your RDNS should also match this

That's what Outlook365 and gmail both do for hosted domains
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: SSL/TLS cert for multiple domains?

Post by ras07 » 2019-04-16 08:37

mattg wrote:
2019-04-15 08:40
ras07 wrote:
2019-04-15 05:52
Or is TLS support in SMTP (and IMAP) specifically designed to facilitate only encryption, and not authentication?
Correct

You need a cert that matches the 'local host name' in SMTP >> Delivery of email and that is it.
Hmm, apparently this isn't correct for IMAP ... I imagine it's client-dependent, but at least one email client (Thunderbird) does authenticate the IMAP server. It complains if the IMAP server doesn't have a cert that matches the server name the client is configured for.

Example:
  • hMailServer instance handles mail for both example.com and myorg.org
  • Settings | Protocols | SMTP | Delivery of e-mail | local host name is set to mail.example.com
  • hMailServer is configured with a cert that only lists mail.example.com
  • Both mail.example.com and mail.myorg.org resolve to the hMailServer's IP address
  • User configures IMAP in Thunderbird so that Account Settings | Server Settings |Server Name is set to mail.myorg.org
  • User gets an Security Exception dialog box that says "Legitimate ... sites will not ask you to do this"
Getting a SAN cert that lists both mail.example.com and mail.myorg.org solves the problem.

palinka
Senior user
Senior user
Posts: 2170
Joined: 2017-09-12 17:57

Re: SSL/TLS cert for multiple domains?

Post by palinka » 2019-04-16 11:38

ras07 wrote:
2019-04-16 08:37
Hmm, apparently this isn't correct for IMAP ... I imagine it's client-dependent, but at least one email client (Thunderbird) does authenticate the IMAP server. It complains if the IMAP server doesn't have a cert that matches the server name the client is configured for.

Example:
  • hMailServer instance handles mail for both example.com and myorg.org
  • Settings | Protocols | SMTP | Delivery of e-mail | local host name is set to mail.example.com
  • hMailServer is configured with a cert that only lists mail.example.com
  • Both mail.example.com and mail.myorg.org resolve to the hMailServer's IP address
  • User configures IMAP in Thunderbird so that Account Settings | Server Settings |Server Name is set to mail.myorg.org
  • User gets an Security Exception dialog box that says "Legitimate ... sites will not ask you to do this"
Getting a SAN cert that lists both mail.example.com and mail.myorg.org solves the problem.
It's not "client dependent", it's server dependent. Why would you expect your client to receive mail if you configured it for the wrong address? You may as well put gmail instead of mail.myorg.com.

But yes, a SAN certificate will solve that issue.

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: SSL/TLS cert for multiple domains?

Post by ras07 » 2019-04-16 20:26

palinka wrote:
2019-04-16 11:38
It's not "client dependent", it's server dependent.
Well, no, it's client dependent. You can write software to do whatever you want, and if you want it to ignore cert ownership, you certainly can. I know of at least several that do; the one on my Android phone, for instance (that was how this whole conversation started; I added a new domain and forgot about the cert, and was surprised that everything was working). It leaves you open to a combination DNS cache poisoning/MITM attack.

palinka
Senior user
Senior user
Posts: 2170
Joined: 2017-09-12 17:57

Re: SSL/TLS cert for multiple domains?

Post by palinka » 2019-04-16 21:49

Alternatively, you could resolve your myorg.com mx to mail.example.com. Then you'd only need one certificate and all connections would be covered.

Your example only applies when you resolve mx records to multiple domains (mail.example.com AND mail.myorg.com), which is fine using SAN certificates. No problem. Having options is good. :D

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSL/TLS cert for multiple domains?

Post by mattg » 2019-04-22 02:19

ras07 wrote:
2019-04-16 08:37
It complains if the IMAP server doesn't have a cert that matches the server name the client is configured for.
Which is why I said
mattg wrote:
2019-04-15 08:40
You need a cert that matches the 'local host name' in SMTP >> Delivery of email and that is it.

Ideally your domains should each point to the same FQDN as an MX record, and your RDNS should also match this
Thunderbird tries to guess domain names, and does then look for a matching cert to their guess.


autoconfigure stops the guessing, and defines the appropriate responses >> viewtopic.php?f=21&t=31549
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply