On Wed, Oct 16, 2019 at 04:05:51PM -0400, Viktor Dukhovni via Exim-users wrote: > > On Oct 16, 2019, at 3:41 PM, Evgeniy Berdnikov via Exim-users > > <[email protected]> wrote: > > > >> So, how do I configure exim so mail can still be accessed via tls and an > >> account can be created without any complaints about certificates from > >> Apple Mail? > > > > It sounds as problem is in your Mac Mail, because neither Exim no Dovecot > > require specific host names for TLS (at least by default). So you should > > configure your Mac Mail client to use exactly those DNS names for SMTP > > and IMAP/POP3 that are exposed in server certificates. > > That's the simplest approach to implement server-side. Anything else > requires complication provisioning of multiple certificate chains and > SNI. The cost is that the IMAP and SUBMIT (outbound SMTP) servers have > to be the same for all the domains, i.e. the mail clients need to be > configured to use a fixed pair of server names, regardless of the > user's mail domain. > > If you have many users, and require the flexibility to move their > mail servers independently of each other, then you're forced to > deploy SNI on any servers that handle more than one of these > domains. > > Exim has supported SNI for a while. Correctly configured, it > should work.
Agree. However, I do not know whether Mac Mail client mentioned above sends SNI on TLS handshakes with MTA and mailbox access servers. -- Eugene Berdnikov -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
