Server setup for SSL for sending and receiving emails?

Question

I managed to setup one physical server using postfix, dovecot with mysql server. I do plan to use virtual domains and users.

Current setup to send and receive emails.

SENDING smtp.example.com

RECEIVING pop.example.com

Now the question, will a regular wildcard ssl certificate work? Or I should just use one domain to simplify it like mail.example.com for sending and receiving?

Answer 1

Certificate validation will be done by the client. Use of wildcards is defined for POP, IMAP and SMTP, so a wildcard certificate should fit. But it might be that some older clients have problems, because the details for certificate handling in SMTP were only defined much later then for the other protocols so some old clients might not expect wildcards.

Answer 2

Or I should just use one domain to simplify it like mail.example.com for sending and receiving?

Yes, I would advise it. In fact Google Apps using the same technique to handle the thousands domains pointing on it.

• Google Apps customer must setting his MX record to ASPMX.L.GOOGLE.COM (and friends).
• All users also use smtp.gmail.com and imap.gmail.com as their SMTP and IMAP server regardless of the original domain.

Some reason why you should use this technique is

• Only few mail client who sent SNI header when performing SSL handshaking. So, the SNI certificate option won't work in major case.
• For the wildcard certificate problem has been addressed by Steffen Ullrich in his answer.

Answer 3

If you want to serve smtp/imap for subdomains then one dedicated subdomain is preferrable. IMHO you even shouldn't split your services into two or more separate subdomains like smtp.example.com and pop.example.com. Just use mail.example.com that can be used for smtp/pop/imap and even http if you plan to launch some webmail.