0

I'm trying to get full green marks on an old iredmail server checktls.com/TestReceiver. I have a multi-domain certificate with these domains:

  • mail.domain.tld
  • mailgw.domain.tld
  • mailgw2.domain.tld

I do get the full green marks on mail.domain.tld, but not the others. I'm assuming this is because of mail.domain.tld being the certificate name (I've forgotten what it's called).

The warning I get on the other domains is this:

Cert Hostname DOES NOT VERIFY (mailgw.domain.tld != mail.domain.tld | DNS:mail.domain.tld)
        So email is encrypted but the host is not verified

MX and A records are set for each domain. They don't share a single IP, but rather each have their own.

What do I need to do change to solve this issue? Do I need to make separate certificates for each domain?

Version information:

  • Postfix 2.7.1
  • Dovecot 1.2.15
  • iRedMail 0.8.5
  • Debian 6.0.10 (Squeeze)

I know these are old versions and I know one should upgrade (or rather migrate), but that's currently not possible for me to do.

I will supply any information needed (unless told not to by my boss).

OH MY DEAR PUFFINS
  • 37
  • 1
  • 9
  • 1
    Are you sure your certificate is actually multi-domain? Checktls should list all the `DNS:` entries from the certificate SAN extension, but it prints only one in your case. – Lacek Jan 05 '21 at 19:16
  • @Lacek I'm pretty sure it is, but I'll double check tomorrow. – OH MY DEAR PUFFINS Jan 05 '21 at 19:28
  • @Lacek You were right. acme.sh had done something with the certificate *configuration* file, but nothing with the certificate itself. Thanks for leading me in the right direction. – OH MY DEAR PUFFINS Jan 06 '21 at 09:13

0 Answers0