Re: Best practive for TLS/DNS Setup for exim

To: debian-user@lists.debian.org
Subject: Re: Best practive for TLS/DNS Setup for exim
From: Rainer Dorsch <ml@bokomoko.de>
Date: Tue, 19 May 2020 17:05:43 +0200
Message-id: <[🔎] 2125974.BmI5kY5TAC@h370-wlan>
In-reply-to: <[🔎] 20200519141536.GC19608@randomstring.org>
References: <[🔎] 15614988.WQU0u6kgnc@h370-wlan> <[🔎] 2408481.pEec6mWIHX@h370-wlan> <[🔎] 20200519141536.GC19608@randomstring.org>

Am Dienstag, 19. Mai 2020, 16:15:36 CEST schrieb Dan Ritter:
> Rainer Dorsch wrote:
> > Am Montag, 18. Mai 2020, 20:50:49 CEST schrieb Dan Ritter:
> > > Rainer Dorsch wrote:
> > > > I was more concerned about the outgoing server configured in the email
> > > > clients and used to send main from my domain (at least so far I did
> > > > not
> > > > understand that they can make use of the MX record).
> > > 
> > > It depends on the MTA you choose for your email clients, but
> > > unless you choose the very simplest systems, they can be
> > > configured to look up the MX record and use that. (Postfix has a
> > > fallback_relay option, Exim can accept multiple hosts in a
> > > route_list statement, and so forth.)
> > 
> > Thanks again for your reply.
> > 
> > But what about a client like Thunderbird, kmail or Android mail clients.
> > They need an *outgoing* server.
> > 
> > Do they handle MX records?
> 
> No, if you need high availability for those, you need load
> balancing. DNS is not a good way of doing that; consider
> ldirectord or haproxy or pound, and remember that you will need
> at least two of those machines in a STONITH configuration.
> 
> In any of these cases, you'll configure all your mail servers to
> answer as smtp.domain with the same TLS certificate.

Many thanks, again. No HA was here not my primary motivation here. 

It seems I have to 

1. Setup exim (done by now)
2. copy TLS certificates for smtp.<domain> to new server
3. for testing tweak dns for a client to resolve smtp.<domain> to the new 
server
4. changing the smtp.<domain> entry to new server
5. setup certbot to update the copied smtp TLS certificates

I hoped I get around copying the TLS certificates and then get certbot running 
an tweaking DNS of the client by

1. get TLS certificate for smtp2.<domain>
2. Setup exim
3. test with smtp2.
4. change DNS entry to e.g. make smtp CNAME smtp2

I see the last step does not work, but it is not a big hassle overall to 
follow the first procedure (I hope :-) )

Rainer




-- 
Rainer Dorsch
http://bokomoko.de/

Reply to:

References:
- Best practive for TLS/DNS Setup for exim
  - From: Rainer Dorsch <ml@bokomoko.de>
- Re: Best practive for TLS/DNS Setup for exim
  - From: Rainer Dorsch <ml@bokomoko.de>
- Re: Best practive for TLS/DNS Setup for exim
  - From: Dan Ritter <dsr@randomstring.org>

Prev by Date: Re: Changing timestamps in video files
Next by Date: Re: Best practive for TLS/DNS Setup for exim
Previous by thread: Re: Best practive for TLS/DNS Setup for exim
Next by thread: Re: Best practive for TLS/DNS Setup for exim
Index(es):
- Date
- Thread