SurgeMail Archive: Re: Spam:************, Re: Re: [SurgeMail List] Finally succeeded in stacking multiple SSL certificates on one IP address with SN

Subject:	Re: Spam:************, Re: Re: [SurgeMail List] Finally succeeded in stacking multiple SSL certificates on one IP address with SN
From:	Lyle
Date:	04-Oct-2013
On 10/4/2013 3:14 AM, Chris Ferebee wrote: >>> What if I have an ssl certificate for .example1.com and I want any server name such as mail, pop, pop3, smtp to fall under that SSL certificate? I don't suppose I can set the A record under the Domain Settings to .example1.com can I? >>> >>> Or would I set the A record to mail.example1.com and then assign the wildcard SSL certificate to that domain? Would it still accept connections for anything? >> Yes. That should work in most situations. > > Brian, > > As ChrisP says, that should work in most simple setups. From what I can see from my limited testing, you need to consider the following: > > - The domain example1.com can have only one A record assigned in SurgeMail, e. g. mail.example1.com. > > - A modern MUA will send the POP, IMAP or SMTP hostname as the SNI. > > - If the SNI matches the A record setting of a SurgeMail domain (e. g., mail.example1.com), SurgeMail will return whatever SSL certificate is stored in surgemail/ssl/mail.example1.com. > > - Otherwise, if the SNI request does NOT match any Surgemail domain A record, SurgeMail will return the SSL certificate that is associated with the first (by order in surgemail.ini, says ChrisP) domain that is configured on the IP address of the request. > > - Therefore, if you need to support pop.example1.com/imap.example1.com and pop.example2.com/imap.example2.com, you will need to either: > > - Configure example1.com and example2.com on different IP addresses, or > > - obtain a multi-domain (UC a. k. a. multiple-SAN) certificate that covers pop.example1.com, imap.example1.com, mail.example1.com, pop.example2.com, imap.example2.com, etc. > > cf. > > <http://www.sslshopper.com/special-ssl-certificate-types.html> > > HTH > Chris (Ferebee, as distinct from P :) > > One other issue. In the corporate world due to other issues and program compatibility, many are still using WinXP on their desktops. WinXP does not understand SNI or UC SSL certificates. With the official sundown of support for WinXP coming soon, this will lessen as the anti-virus vendors will drop support for WinXP quickly, forcing companies to move off of WinXP. But it's something you need to keep in mind when using these new types of SSL certificates. Lyle Giese LCR Computer Services, Inc.

Last Message | Next Message


Search website: