[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-user
Subject:    Re: Best practive for TLS/DNS Setup for exim
From:       Rainer Dorsch <ml () bokomoko ! de>
Date:       2020-05-19 15:10:33
Message-ID: 12353294.16s0clBP7P () h370-wlan
[Download RAW message or body]

Am Montag, 18. Mai 2020, 19:58:06 CEST schrieb Dan Ritter:
> Rainer Dorsch wrote:
> > Hi,
> > 
> > I am just wondering how a efficient setup for TLS/DNS for exim looks like:
> > 
> > Right now I have an A entry in the DNS server for smtp.<domain> and a
> > letsencrypt certificate as well.
> > 
> > If I setup a new server and call it SMTP2, I need to reconfigure this in
> > all my email clients. If I install the SMTP certificates, testing is
> > somewhat limited, since the DNS entry still points to another server and
> > I would need to fake this.
> > 
> > Does anybody know if I can have a certificate for <hostname>.<domainname>
> > and use for smtp a CNAME?
> > 
> > The advantage I would see is that I can have a fully functional config and
> > with disabling the SMTP name on the old system and changing the CNAME in
> > the DNS system, I could be done.
> > 
> > Does anybody now if the standard email clients can handle the situation in
> > which them get as SMTP server a cname and as certificate the <hostname>
> > the
> > SMTP cname points to?
> 
> I think you're overcomplicating it.
> 
> Your domain can and should have two or more MX records, with
> different priority levels. The MX records don't even have to
> point to names in your domain.
> 
> Since you're using Let's Encrypt, certificates are free. So,
> for each mail server, set up an A and/or AAAA record. Add those
> to the MX records for your domain. Have LE produce certificates
> for the mail servers under the names they have assigned.
> 
> Any mail sender will try each of your MX records, stopping when
> it gets to a working entry. Some spammers will try in reverse
> order, hoping that you don't have anti-spam measures on your
> secondary mail server.
> 

Just curious, if I have multiple MX records, how would you sync the incoming 
emails (*) ? I can see with an NFS mounted home directory with Maildir 
mailboxes that could work and dovecot could probably run on multiple hosts (or 
at least it would be possible to switch the imap DNS entry if needed). But 
then the NFS server is the single point of failure. Are there better ways to 
sync the mail servers behind the MX records than NFS?

Thanks
Rainer

(*) it would be some fun to present to the user multiple mail boxes and emails 
are "randomly" distributed into them :-D

-- 
Rainer Dorsch
http://bokomoko.de/


[prev in list] [next in list] [prev in thread] [next in thread]