Let's Encrypt for email domain - but which one?

Hello guys,

i've never used Let's Encrypt for securing mail server so i need some help:

my email domain (let's say domain.com) differs from server's hostname (let's say server.hostname.com), so i was wondering if i should obtain certificate for domain.com or for server.hostname.com? I'm not sure because my first thinking was to obtain certificate for domain.com, but when i look at email headers:

Delivered-To: example@gmail.com
Received: by 2002:ab0:2098:0:0:0:0:0 with SMTP id r24csp2306985uak;
Tue, 24 Mar 2020 11:09:43 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vuCOcG14riCFITKQMWQLHsRftw292QjMrLaAWQS0V+SOhLmyEnJkt2uJpP+aO7MMbu/vDpo
X-Received: by 2002:a50:eb05:: with SMTP id y5mr28431049edp.168.1585073382877;
Tue, 24 Mar 2020 11:09:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585073382; cv=none;
d=google.com; s=arc-20160816;
b=YI9gLpG97INXX/dvhPKZjQL3jODq5L2XNgCgAe2GVKx67faWrRKD2AmD/Y2qxAru9G
rLa07kvXMYtCqjyBipxOpjhwdzbJVDSgE1bFLjdNNB2U7jhHplOqaRzMTKpc1eMpTFKj
KaXvWWALOpPsU+RiFInn7e89VKIQuSkbGCiwMO7urQyF9H9QDCPNO6y2Pw97sJe5GzXV
ErwkUNJRtwFuCU2b1RR+tlUp0S5XDcRiJy/S87KElzcKHBZ2SbYxEc4cyJcaPpTwpVps
qgV1+tGCGDjm4+SV+xkP9z9qSQLzj6eUMmF1QQWqW71493WZJ37xmibE908Yy/eSKMZw
2ztQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=to:mime-version:subject:references:in-reply-to:message-id:from:date
:dkim-signature:dkim-signature;
bh=ViCYMe/4JFrFOOqUu8R1lbCBQLUtiXbXFcNA1cMFVWA=;
b=btOGXLlSds/VKOe7Q/E+KT6KMWFUBs90qBGBW/cwNJsIaChFakrJ+FFeM3JNK7WhYy
44B/56AnsOXBtJuA4fUeEuPJLcxHu5HY5SFaY8esdHg7tL/UfMu8S9Q0RQfz6REYu8Fs
jroR6ymMqdvu9TXnkCFmG2YAz+04GzxKDyQVW3d9t/G8pT7y2/qAVIrm2MIxHDJ3xSFc
MEfaKeItet8H6/31JxcAb2WIxQ2lFtW16m3gPmXtwN7vMPNhUQwJV5Y1xPlRAT+KHKwB
YjuuwOernorvdt4uKmurtJKHp7HtbWQksh6CSlkESE8pT0GwVtOVb2oqAUZgfuFxhD0h
NVxg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@domain.com header.s=s1 header.b=gfvcJGPa;
dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=PcSDz8NZ;
spf=pass (google.com: domain of bounces+2967257-b81e-example=gmail.com@email.domain.com designates 198.21.6.101 as permitted sender) smtp.mailfrom="bounces+2967257-b81e-example=gmail.com@email.domain.com"
Return-Path: bounces+2967257-b81e-example=gmail.com@email.domain.com
Received: from cskrhssr.outbound-mail.sendgrid.net (cskrhssr.outbound-mail.sendgrid.net. [198.21.6.101])
by mx.google.com with ESMTPS id v27si6584120edd.354.2020.03.24.11.09.41
for example@gmail.com
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Tue, 24 Mar 2020 11:09:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of bounces+2967257-b81e-example=gmail.com@email.domain.com designates 198.21.6.101 as permitted sender) client-ip=198.21.6.101;
Authentication-Results: mx.google.com;
dkim=pass header.i=@domain.com header.s=s1 header.b=gfvcJGPa;
dkim=pass header.i=@sendgrid.info header.s=smtpapi header.b=PcSDz8NZ;
spf=pass (google.com: domain of bounces+2967257-b81e-example=gmail.com@email.domain.com designates 198.21.6.101 as permitted sender) smtp.mailfrom="bounces+2967257-b81e-example=gmail.com@email.domain.com"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=domain.com; h=from:in-reply-to:references:subject:mime-version:x-feedback-id:to: content-type; s=s1; bh=ViCYMe/4JFrFOOqUu8R1lbCBQLUtiXbXFcNA1cMFVWA=; b=gfvcJGPaGjgt0D0jeYfkXZzzV5Rat+u8DK4offLfgj/AIuCzjlTR5lofpoWQi2BxM8iw MuMyrdNxWVt67mBZuXQ9otnSxXWw+200ysHnA30TUdmZaNnuASmkO7tN+7kLYpcLAiM9Nd CKxAAbqmIYkBBJOEEigfkNg70Jdim8Kng=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.info; h=from:in-reply-to:references:subject:mime-version:x-feedback-id:to: content-type; s=smtpapi; bh=ViCYMe/4JFrFOOqUu8R1lbCBQLUtiXbXFcNA1cMFVWA=; b=PcSDz8NZbE1xDEax7yQNViFnf5SB2cc9LvewHLJwQxTm5xqhZmicCv4fL02zjaoTvlyh X49lrVZLbFCICjIIXdTsMDpbzErcPtjX6nJ2b0gH9h3gnSo09EtHW4pHnyHXfcWGzqwlsZ OQRNy0Cra9I8lZiI3ky/oJtcjwSEazbe0=
Received: by filterdrecv-p3las1-648dcbd4bf-mwnx5 with SMTP id filterdrecv-p3las1-648dcbd4bf-mwnx5-20-5E7A4CE3-6F
2020-03-24 18:09:39.883730297 +0000 UTC m=+687330.469828445
Received: from server.hostname.com (unknown) by ismtpd0001p1lon1.sendgrid.net (SG) with ESMTP id p3kpZjTvSAynai1xGrj-Jw for example@gmail.com; Tue, 24 Mar 2020 18:09:39.501 +0000 (UTC)
Received: from [192.168.1.156] (cable-89-216-20-83.cable_provider_isp.tld [89.216.20.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by server.hostname.com (Postfix) with ESMTPSA id 9BE2B5C597 for example@gmail.com; Tue, 24 Mar 2020 19:09:38 +0100 (CET)
Date: Tue, 24 Mar 2020 18:09:39 +0000 (UTC)
From: adam@domain.com
Message-ID: 86a27dea-9bba-4b01-a18c-46198a501382@Spark
In-Reply-To: bd3c27d5-9ae4-495a-875d-936bcff1b20f@Spark
References: cc326246-b383-4829-aac2-a0cea1af70be@Spark bd3c27d5-9ae4-495a-875d-936bcff1b20f@Spark
Subject: Fwd: Sastanak u 10
X-Readdle-Message-ID: 86a27dea-9bba-4b01-a18c-46198a501382@Spark
MIME-Version: 1.0
X-Feedback-ID: 2967257:SG
X-SG-EID: 9gxTU0Q2NoXm3y/gNIc6GG1xB0HYfq9dA5dPJe/6vb2j9cCOQLWEYCWdyoUihC3P4Fn5ChGM5dze95PAKibu5LxQtorv4p81s7B7xd8++wKWVzgo8QLN4W+Q1XfarvQP1yAhGVf5XXZvJi1OVB3BPR13W7G2jh26Lr9s7QeM01wFW64X2db3o6+wQz/zI09mwtzag0wIycj5C8OiGj1irmSKo6GZoFTUF8HPTQAxWAU=
To: User example@gmail.com
Content-Type: multipart/alternative; boundary="5e7a4ce1_6b8b4567_26c"

--5e7a4ce1_6b8b4567_26c
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

it says that it has been received from server.hostname.com so maybe i should obtain certificate for server.hostname.com instead?
Maybe i should emphasize that i'm using SendGrid as SMTP relay.

Thanks in advance!

Most likely you need certificate for the hostnames listed in MX records, this is also requirement of recent MTA-STS standard. You don’t need certificates for sending emails, SendGrid manages that.

I think that's correct. The MTA should resolve the MX record of the domain name part of the e-mail address and try to connect to the returned hostname. It's that hostname which should match with the certificates SAN list.

Thank you guys for your answers!
My email domain is @sfp.rs and if i have understood You right, i should have certificate for hostname sfp.rs (because mx record resolves to sfp.rs) and so i’ve obtained Let’s encrypt certificate for that hostname, but this is the message that i get from MTA when i try to send email, so i’m probably making mistake somewhere? I can receive emails.

I can post Postfix and Dovecot configuration if needed, but i doubt if that could be the problem…

Untitled1120×655 113 KB

Your mailclient isn’t using the MX record for sending email in the case of directly connecting to the SMTP server. You should either just enter the same hostname in your client as the MX value or add mail.sfp.rs to the certificate too.

Wow @Osiris thank you so much for quick response and for details, i will try to do that!

EDIT: Everything works fine now, thank you @Osiris and @Patryk once again for your help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.