On 06/16/2015 09:44 PM, David Highley wrote:
> Another missed concept is the practice of using DNS CNAME aliases for a
> host, like mail.domain.com, so that things are not hardcoded all over
> the place and you can move functionality around without going to n
> places to change hardcoding. In that case the host provide is not in the
> ssl cert.
A few years back the certificate CN recommendation changed for cert generation from:
'host.domain.tld'
to
'*.domain.tld'
This was intended to allow additional flexibility. I know I've made use of that
format for at least the last 2-3 years of certificate generation. peer
verification in php will deal with the wildcard properly allowing the normal
CNames for a host. (e.g. hostname, ftp, mail, www, etc..). This recommendation
applies to both server certificates (httpd, etc.) and mail certificates.
I don't know if it will help with your setup, but it does help keep you from
being locked into a specific cert CN.
--
David C. Rankin, J.D.,P.E.
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
