Loading ...
Sorry, an error occurred while loading the content.

294302Re: How best to eliminate "domain mismatch" warning in mail clients when TLS is used

Expand Messages
  • Peter
    Jul 15, 2013
      On 07/16/2013 05:30 AM, Ben Johnson wrote:
      >> If your clients insist that a mail server is only professional if the TLS
      >> session has their domain name written on it, then give them what they want at
      >> the price it costs to implement it.
      > Your position is perfectly reasonable, and is more or less the position
      > that I've taken on the matter. I just wanted to be sure that there isn't
      > some panacea that I had overlooked.
      > In order to give our clients what they want, what are our choices?

      Probably the best option is to go old tech here. Get a separate IP for
      each hostname that a client wants to connect to and set up separate
      listeners in master.cf for each of those IPs with the appropriate TLS
      options. Then let the clients buy their own cert and provide it to you
      to use on the server. Up to you to come up with the additional pricing
      for all of this. The extra dedicated IP is the first and most obvious
      cost, the rest is administrative.

      Keep in mind that you'll have to configure dovecot (or whatever you use
      for IMAP/POP3) to listen on these other IPs and use those
      customer-supplied certs as well.

      Personally I would ramp up the extra fee even more to account for the,
      "I don't want to do this really stupid unnecessary vain thing" reason.
      I would make sure the client knows that they are just spending extra
      money to satisfy their own vanity and if they still want to go ahead
      then do it for them.

    • Show all 15 messages in this topic