• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 632
  • Last Modified:

SSL Certificates for eMail Gateway

I'll be deploying a new email gateway named “smail.domain.com”.  It will be accessible from 3 different public IPs.  So, MX records will list smail, smail2, and smail3 in descending preference.  I would like to deploy it with an SSL cert for all 3 names, but I am fairly certain that you cannot deploy a host with 3 SSL certs.  My thought is to use a wild-card SSL cert, but will this even work?  All advice is appreciated.

As well, for a host handling TLS, HTTPS, and SMIME, are there any particulars I need for the cert?
  • 2
2 Solutions
Steve BinkCommented:
You can deploy a host with three SSL certificates, but there are some caveats to it working properly.  In the old-school method, each certificate must be bound to a unique IP/port combination.  If your host has three IPs, no issues.  With newer methods, you can use SNI to bind multiple certificates to the same unique IP/port, but I am only aware of that functionality in the context of Apache.  I'm not sure that is available through email server platforms.

A wildcard certificate will certainly do the job admirably, and is what I use for my own mail and web servers.  Instead of purchasing three SSL certs, you purchase one and use it on any host within the domain.  There are no technical limitations of this strategy (at least, none of which I am aware), and it works seamlessly.

As far as particular needs for the cert, you want one with an assigned function of identification - the default role of almost every commercially available certificate.  To get any roles other than that, you would need a specific request to the provider.  The default function should serve just fine for web and email service.
whoamAuthor Commented:
Hmmm, so attaching a certificate to the mail gateway of *.domain.com would allow it to respond to TLS/SSH conversations for smail.domain.com and/or smail2.domain.com and/or smail3.domain.com without a certificate error?  Just making sure before I send out the CSR.  Also, in Apache, how do you do a CSR for a wildcard cert?

Steve BinkCommented:
That is correct.  You create the CSR for a wildcard cert in exactly the same manner as a "normal" cert.  The only difference is that the common name should be "*.domain.com" instead of "smail1.domain.com".

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now