Mailinglist Archive: opensuse (1690 mails)

< Previous Next >
Re: [opensuse] Configure smtp_auth/postfix/dovecot for mobile device relay - quick howto - request for comment
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Wed, 09 Nov 2011 08:02:36 +0100
  • Message-id: <j9d8ic$ls8$1@saturn.local.net>
David C. Rankin wrote:

On 11/08/2011 01:17 AM, Per Jessen wrote:
David C. Rankin wrote:

<snip>
# Common Name (*.example.com is also possible)
CN=*.yourTLD.com

Why not use the actual hostname?

It really has to do with CNAME or server aliases in /etc/hosts. Say
one box is also known as 'www.yourTLD.com', 'hostname.yourTLD.com',
'ftp.yourTLD.com', 'mail.yourTLD.com', etc...

Right, that's fine, but the machine really has just one name - which is
returned when you do a reverse lookup of the IP. (with apache SNI you
can have multiple certificates per IP, but that's a different story).

My understanding is the '*.example.com' CN prevents any potential
conflict from a cert standpoint when SSL/TLS authentication is invoked
from the different servers (ssh, sftp, saslauthd, https, etc...)

There is no conflict, it's the hostname that counts. For instance, I've
got a mailserver that hosts a couple of virtual domains, so it can be
reached as mail.example1.com and mail.example2.com. The actual name
is "mail.example.com" and that matches the CN (for IMAP and SASL).


--
Per Jessen, Zürich (8.2°C)

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >