[BlueOnyx:25005] Re: TLS
Michael Stauber
mstauber at blueonyx.it
Tue Jul 20 11:11:48 -05 2021
Hi Colin,
> Am I correct that with the new 5210R if I set up a vsite with SSL users
> can collect email using the vsite url and tls?
>
> e.g. vsite called mail.mydomain.com connect with starttls.
That is correct. How it works is explained here:
https://www.blueonyx.it/news/267/15/5210R-Postfix-SNI-for-email-and-Maildir/
https://www.blueonyx.it/news/266/15/5209R5210R-SNI-support-added-to-Dovecot/
In a nutshell it's like this:
Switch the 5210R's MTA from Sendmail to Postfix via the GUI.
Both Dovecot and Postfix use all SSL certificates that are installed on
the server: The AdmServ cert (like they did before) plus the
certificates from all Vsites that have an SSL certificate.
If Vsite www.company.com has an SSL certificate, then the end-user can
configure his email client to directly send/receive emails via
www.company.com and both Postfix and Dovecot will present the SSL
certificate for www.company.com instead of using the AdmServ
certificate. Hence there will be no "certificate mismatch" warning.
If someone does this for a Vsite that has no SSL certificate (yet), then
the AdmServ certificate will be used instead, which is the traditional
behavior that we had before.
> I’m looking to migrate a complete old 5107R dedicated mail server onto
> the new host as a vsite.
>
> Currently users are using the server FQDN to connect and many use tls so
> don’t want the hassle of asking them to make changes.
That still works and users don't have to make any changes. But if their
Vsite has an SSL certificate, they can optionally switch their SMTP and
POP3/IMAP settings over to that instead and they won't see a
"certificate mismatch" error.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list