Re: Best practive for TLS/DNS Setup for exim
Rainer Dorsch wrote:
> Hi,
>
> I am just wondering how a efficient setup for TLS/DNS for exim looks like:
>
> Right now I have an A entry in the DNS server for smtp.<domain> and a
> letsencrypt certificate as well.
>
> If I setup a new server and call it SMTP2, I need to reconfigure this in all my
> email clients. If I install the SMTP certificates, testing is somewhat limited,
> since the DNS entry still points to another server and I would need to fake
> this.
>
> Does anybody know if I can have a certificate for <hostname>.<domainname> and
> use for smtp a CNAME?
>
> The advantage I would see is that I can have a fully functional config and with
> disabling the SMTP name on the old system and changing the CNAME in the DNS
> system, I could be done.
>
> Does anybody now if the standard email clients can handle the situation in
> which them get as SMTP server a cname and as certificate the <hostname> the
> SMTP cname points to?
I think you're overcomplicating it.
Your domain can and should have two or more MX records, with
different priority levels. The MX records don't even have to
point to names in your domain.
Since you're using Let's Encrypt, certificates are free. So,
for each mail server, set up an A and/or AAAA record. Add those
to the MX records for your domain. Have LE produce certificates
for the mail servers under the names they have assigned.
Any mail sender will try each of your MX records, stopping when
it gets to a working entry. Some spammers will try in reverse
order, hoping that you don't have anti-spam measures on your
secondary mail server.
-dsr-
Reply to: