|
|
On Fri, 05 Mar 2010 23:25:26 +0300
Technical Support <support@stalker.com> wrote:
Hello,
dhazzard@yoursummit.com wrote:
Okay, scratch my previous post. I'll be more specific.
As I mentioned below we have two mail servers. For TLS to function
properly do I need one certificate with the Common Name set to
xyz.com and installed on both servers? Or will this not work?
The certificate common name should match the host name on which the server will be contacted. Say, you serve the domain xyz.com with two hosts
$ORIGIN xyz.com
IN MX 5 mail
IN MX 10 smtp
mail IN A 10.20.30.40
smtp IN A 10.20.30.50
The IPs 10.20.30.40 and 10.20.30.50 should be assigned in the CgPro configuration to CgPro Domain objects where mail.xyz.com and smtp.xyz.com are either names or alias names to those objects.
In this case you will need certificates for mail.xyz.com and smtp.xyz.com, or can use a wildcard certificate *.xyz.com on both servers.
Wildcard certificates are NOT the way to go for large enterprises. They present a whole set of security problems because some sites offer dozens of services, each with its own certificate. Our university operates hundreds of servers. If a wildcard certificate gets compromised, EVERY service loses its security.
Why can't CommuniGate figure out how to configure multiple certificates, say one for each service (IMAP, POP, WebUser) and a different set for each domain? Apache has been doing this for a very long time.
matthew black
e-mail postmaster
california state university, long beach
|
|