SSL overview...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL overview...

SH Development
Can someone help me understand the overall picture of SSL certificates in this scenario?

I have a working dovecot/postfix/mysql server.  It has a certificate.

I now want to create a second, essentially duplicate configured server for use with replication.


What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server’s domain name?

mail.serverA.mydomain has a certificate that was created using mail.serverA.mydomain.  The server's hostname is mail.serverA.mydomain.

Now enter the new server.  It would probably be:

mailserverB.mydomain and a certificate created using mail.serverB.mydomain. The server’s hostname would be mail.serverB.mydomain.

My questions:

1. Can I use the same certificate on both servers since they are serving email for the same domain?
2. Does the hostname have to be the same as the domain name, and thus the name used to create the cert?

Sorry if I’m muddled about this.  It was never really an issue until I wanted to add a secondary server into the mix.

Ethon B.
Reply | Threaded
Open this post in threaded view
|

Re: SSL overview...

Anvar Kuchkartaev
If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be mx1.mydomain, mx2.mydomain but you can use imap.mydomain as dovecot service name (in this case you can use same certificate for dovecot but different certificates for postfix and you also will load balance clients connecting to dovecot instance). ‎Or you might use same hostname for both servers (in that case you need only one certificate) and dovecot and postfix will be automatically load balanced. 

Anvar Kuchkartaev 
[hidden email] 
  Original Message  
From: SH Development
Sent: jueves, 12 de octubre de 2017 05:17 a.m.
To: [hidden email]
Subject: SSL overview...


Can someone help me understand the overall picture of SSL certificates in this scenario?

I have a working dovecot/postfix/mysql server. It has a certificate.

I now want to create a second, essentially duplicate configured server for use with replication.


What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server’s domain name?

mail.serverA.mydomain has a certificate that was created using mail.serverA.mydomain. The server's hostname is mail.serverA.mydomain.

Now enter the new server. It would probably be:

mailserverB.mydomain and a certificate created using mail.serverB.mydomain. The server’s hostname would be mail.serverB.mydomain.

My questions:

1. Can I use the same certificate on both servers since they are serving email for the same domain?
2. Does the hostname have to be the same as the domain name, and thus the name used to create the cert?

Sorry if I’m muddled about this. It was never really an issue until I wanted to add a secondary server into the mix.

Ethon B.
Reply | Threaded
Open this post in threaded view
|

Re: SSL overview...

SH Development
I thought I read somewhere that the hostnames on replicated dovecot servers had to be different.  Is this simply the hostname you specify in the config for dovecot and can this be different than the actual unix hostname?

Ethon B.


> On Oct 11, 2017, at 11:04 PM, Anvar Kuchkartaev <[hidden email]> wrote:
>
> If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be mx1.mydomain, mx2.mydomain but you can use imap.mydomain as dovecot service name (in this case you can use same certificate for dovecot but different certificates for postfix and you also will load balance clients connecting to dovecot instance). ‎Or you might use same hostname for both servers (in that case you need only one certificate) and dovecot and postfix will be automatically load balanced.
>
> Anvar Kuchkartaev
> [hidden email]
>   Original Message  
> From: SH Development
> Sent: jueves, 12 de octubre de 2017 05:17 a.m.
> To: [hidden email]
> Subject: SSL overview...
>
>
> Can someone help me understand the overall picture of SSL certificates in this scenario?
>
> I have a working dovecot/postfix/mysql server. It has a certificate.
>
> I now want to create a second, essentially duplicate configured server for use with replication.
>
>
> What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server’s domain name?
>
> mail.serverA.mydomain has a certificate that was created using mail.serverA.mydomain. The server's hostname is mail.serverA.mydomain.
>
> Now enter the new server. It would probably be:
>
> mailserverB.mydomain and a certificate created using mail.serverB.mydomain. The server’s hostname would be mail.serverB.mydomain.
>
> My questions:
>
> 1. Can I use the same certificate on both servers since they are serving email for the same domain?
> 2. Does the hostname have to be the same as the domain name, and thus the name used to create the cert?
>
> Sorry if I’m muddled about this. It was never really an issue until I wanted to add a secondary server into the mix.
>
> Ethon B.
Reply | Threaded
Open this post in threaded view
|

Re: SSL overview...

Anvar Kuchkartaev
Yes it can is hostname that you specify in config file and it can be completely different from the actual Unix hostname.

Anvar Kuchkartaev 
[hidden email] 
  Original Message  
From: SH Development
Sent: jueves, 12 de octubre de 2017 08:34 a.m.
To: [hidden email]
Subject: Re: SSL overview...


I thought I read somewhere that the hostnames on replicated dovecot servers had to be different. Is this simply the hostname you specify in the config for dovecot and can this be different than the actual unix hostname?

Ethon B.


> On Oct 11, 2017, at 11:04 PM, Anvar Kuchkartaev <[hidden email]> wrote:
>
> If you are using different hostname for each server then you need different certificates or SAN certificate with corresponding subjectAltName extensions. Certificates verifies hostname so if your hostnames are different then you have to use different certificates. However it is more useful if you keep your server hostname and service hostname separately. Your server hostnames might be mx1.mydomain, mx2.mydomain but you can use imap.mydomain as dovecot service name (in this case you can use same certificate for dovecot but different certificates for postfix and you also will load balance clients connecting to dovecot instance). ‎Or you might use same hostname for both servers (in that case you need only one certificate) and dovecot and postfix will be automatically load balanced.
>
> Anvar Kuchkartaev
> [hidden email]
> Original Message
> From: SH Development
> Sent: jueves, 12 de octubre de 2017 05:17 a.m.
> To: [hidden email]
> Subject: SSL overview...
>
>
> Can someone help me understand the overall picture of SSL certificates in this scenario?
>
> I have a working dovecot/postfix/mysql server. It has a certificate.
>
> I now want to create a second, essentially duplicate configured server for use with replication.
>
>
> What is the relationship between the certificate and the hostname, or the DNS entry since the certs are created using the server’s domain name?
>
> mail.serverA.mydomain has a certificate that was created using mail.serverA.mydomain. The server's hostname is mail.serverA.mydomain.
>
> Now enter the new server. It would probably be:
>
> mailserverB.mydomain and a certificate created using mail.serverB.mydomain. The server’s hostname would be mail.serverB.mydomain.
>
> My questions:
>
> 1. Can I use the same certificate on both servers since they are serving email for the same domain?
> 2. Does the hostname have to be the same as the domain name, and thus the name used to create the cert?
>
> Sorry if I’m muddled about this. It was never really an issue until I wanted to add a secondary server into the mix.
>
> Ethon B.