[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Best practive for TLS/DNS Setup for exim



Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter:
> Rainer Dorsch wrote:
> > Hi,
> > 
> > I am just wondering how a efficient setup for TLS/DNS for exim looks like:
> > 
> > Right now I have an A entry in the DNS server for smtp.<domain> and a
> > letsencrypt certificate as well.
> > 
> > If I setup a new server and call it SMTP2, I need to reconfigure this in
> > all my email clients. If I install the SMTP certificates, testing is
> > somewhat limited, since the DNS entry still points to another server and
> > I would need to fake this.
> > 
> > Does anybody know if I can have a certificate for <hostname>.<domainname>
> > and use for smtp a CNAME?
> > 
> > The advantage I would see is that I can have a fully functional config and
> > with disabling the SMTP name on the old system and changing the CNAME in
> > the DNS system, I could be done.
> > 
> > Does anybody now if the standard email clients can handle the situation in
> > which them get as SMTP server a cname and as certificate the <hostname>
> > the
> > SMTP cname points to?
> 
> I think you're overcomplicating it.
> 
> Your domain can and should have two or more MX records, with
> different priority levels. The MX records don't even have to
> point to names in your domain.
> 
> Since you're using Let's Encrypt, certificates are free. So,
> for each mail server, set up an A and/or AAAA record. Add those
> to the MX records for your domain. Have LE produce certificates
> for the mail servers under the names they have assigned.
> 
> Any mail sender will try each of your MX records, stopping when
> it gets to a working entry. Some spammers will try in reverse
> order, hoping that you don't have anti-spam measures on your
> secondary mail server.

Thanks, Dan, for your quick reply. I was not concerned about incoming mail to 
my domain using the MX record.

I was more concerned about the outgoing server configured in the email clients 
and used to send main from my domain (at least so far I did not understand 
that they can make use of the MX record).

Thanks
Rainer


-- 
Rainer Dorsch
http://bokomoko.de/



Reply to: