Outgoing mail certificate name mismatches


#1

I’ve successfully set up LetsEncrypt on my vps, websites are now working as they should with https.

However, when I send a mail through a mail client I’m running into an issue.

Lets say my server is server.server.com
one of my websites is website.com

I’d like to use mail.website.com as my outgoing server. When sending mail, I get a certificate warning telling me there’s a name mismatch. The name in the certificate is server.server.com.
I have a certificate setup for website.com, so I was expecting to see website.com as the certificate name. Is the server’s cert being handed over because I have only one IP address?
Is there a way to avoid the cert mismatch besides changing the outgoing server to match the server’s cert name?


#2

Can’t say: do you have one certificate with both domain names in the SAN or multiple certificates?

If you didn’t put mail.website.com in the certificate, you’ll always get an error ofcourse.


#3

I used SSH to get a certificate for my server:
./letsencrypt.sh request server.server.com 4096

I’m using the directadmin plugin to get the other letsencrypt certificates for each domain name. It doesn’t allow me to specifically add mail.website.com to the certificate, but I thought the certificate would be valid for mail. as well. Perhaps not. Do I need to add mail.website.com to the certificate manually?


#4

I will assume you are using postfix as your smtp sever.

Postfix right now doesn’t supports multiple certs for multiple domains so you can only use one certificate for all your domains/subdomains.

The solution to this postfix limitation is using a SAN certificate, a SAN certificate allows you to authorize several domains and subdomains on a single cert.

I’m having some trouble deploying mine but here is a post with my main problem and some information that may be valuable to you :slight_smile:


#5

I’m using Exim, not postfix. I did find this page: https://loune.net/2016/02/lets-encrypt-with-exim-and-dovecot/ detailing what might be done, but I’m hesitant to try stuff like this if its not really necessary (it might mess things up, after all).
Perhaps I will leave it as is. Using the main server name for outgoing mail (or accepting a mismatched name cert) isn’t a very big deal.