Page 1 of 1

only encrypted mails for 1 domain

Posted: 2020-04-26 23:02
by jikom68425
Hi,

I have used HMAIL for long time and thanks for it,
I received task from one of my user from security division about encrypted communication.
I have main certificate from secure communication, but for user domain, that is different from main domain with certificate when user run test on https://www.checktls.com/TestReceiver, test say that the domain is different from certificate domain.

There is no way to send 2 certificates to one port/service. It's ok, it's not Hmail problem, it not possible at all.

Is there any way to send right certificate that match domain name?

Second users problem is to disable unsecure commnucation for his other domains? I think in hmail there is not this option, but can I do it using firewall, block unsecure ports for his hostnames?

Thanks for reply and helps.

Re: only encrypted mails for 1 domain

Posted: 2020-04-26 23:44
by mattg
Set your dns records to the name of the certificate for the other domains

Domain1.com >> MX record = mail.certificate.com
Domain2.com >> MX record = mail.certificate.com
certifciate.com >> MX record = mail.certificate.com


That is exactly what all gmail and office365 hosted domains do

Re: only encrypted mails for 1 domain

Posted: 2020-04-27 09:55
by RvdH
mattg wrote:
2020-04-26 23:44
Set your dns records to the name of the certificate for the other domains

Domain1.com >> MX record = mail.certificate.com
Domain2.com >> MX record = mail.certificate.com
certifciate.com >> MX record = mail.certificate.com


That is exactly what all gmail and office365 hosted domains do
+1

Additionaly for SMTP/POP/IMAP client connections i have created webmail access on the same address, eg: mail.certificate.com, listing (almost) every domain we host as alternative hostheaders, eg: mail.Domain1.com, mail.Domain2.com (in DNS make sure these are CNAME records to mail.certificate.com)
in LetEncrypt i then use those hostheaders to create a certificate for hMailServer to use that will match all domains we host, maybe you could something similar for what you are trying to achieve?