Re: Best practive for TLS/DNS Setup for exim

To: debian-user@lists.debian.org
Subject: Re: Best practive for TLS/DNS Setup for exim
From: Rainer Dorsch <ml@bokomoko.de>
Date: Mon, 18 May 2020 20:19:28 +0200
Message-id: <[🔎] 2613562.uziDiCohLe@h370-wlan>
In-reply-to: <[🔎] 20200518175806.GA19608@randomstring.org>
References: <[🔎] 15614988.WQU0u6kgnc@h370-wlan> <[🔎] 20200518175806.GA19608@randomstring.org>

Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter:
> Rainer Dorsch wrote:
> > Hi,
> > 
> > I am just wondering how a efficient setup for TLS/DNS for exim looks like:
> > 
> > Right now I have an A entry in the DNS server for smtp.<domain> and a
> > letsencrypt certificate as well.
> > 
> > If I setup a new server and call it SMTP2, I need to reconfigure this in
> > all my email clients. If I install the SMTP certificates, testing is
> > somewhat limited, since the DNS entry still points to another server and
> > I would need to fake this.
> > 
> > Does anybody know if I can have a certificate for <hostname>.<domainname>
> > and use for smtp a CNAME?
> > 
> > The advantage I would see is that I can have a fully functional config and
> > with disabling the SMTP name on the old system and changing the CNAME in
> > the DNS system, I could be done.
> > 
> > Does anybody now if the standard email clients can handle the situation in
> > which them get as SMTP server a cname and as certificate the <hostname>
> > the
> > SMTP cname points to?
> 
> I think you're overcomplicating it.
> 
> Your domain can and should have two or more MX records, with
> different priority levels. The MX records don't even have to
> point to names in your domain.
> 
> Since you're using Let's Encrypt, certificates are free. So,
> for each mail server, set up an A and/or AAAA record. Add those
> to the MX records for your domain. Have LE produce certificates
> for the mail servers under the names they have assigned.
> 
> Any mail sender will try each of your MX records, stopping when
> it gets to a working entry. Some spammers will try in reverse
> order, hoping that you don't have anti-spam measures on your
> secondary mail server.

Thanks, Dan, for your quick reply. I was not concerned about incoming mail to 
my domain using the MX record.

I was more concerned about the outgoing server configured in the email clients 
and used to send main from my domain (at least so far I did not understand 
that they can make use of the MX record).

Thanks
Rainer


-- 
Rainer Dorsch
http://bokomoko.de/

Reply to:

Follow-Ups:
- Re: Best practive for TLS/DNS Setup for exim
  - From: Dan Ritter <dsr@randomstring.org>

References:
- Best practive for TLS/DNS Setup for exim
  - From: Rainer Dorsch <ml@bokomoko.de>
- Re: Best practive for TLS/DNS Setup for exim
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: Best practive for TLS/DNS Setup for exim
Next by Date: A start job is running for dev-mapper-sda4_crypt.device (1 min 21s/ no limit)
Previous by thread: Re: Best practive for TLS/DNS Setup for exim
Next by thread: Re: Best practive for TLS/DNS Setup for exim
Index(es):
- Date
- Thread