Chris Simmons:
> Hi all,
>
> In testing (and by reading the archives) I have found that postfix
> only supports one level of wildcard SSL certificates. That is to
> say, I can get a certificate for *.example.com that will match
> host1.example.com and host2.example.com, but won't match
> mail.host1.example.com or mail.host2.example.com.
According to a comment in the source code:
The rules for peer name wild-card matching differ between
RFC 2818 (HTTP over TLS) and RFC 2830 (LDAP over TLS), while
RFC RFC3207 (SMTP over TLS) does not specify a rule at all.
Postfix uses a restrictive match algorithm. One asterisk
('*') is allowed as the left-most component of a wild-card
certificate name; it matches the left-most component of
the peer hostname.
If there is meanwhile an RFC that documents wildcard behavior,
then Postfix can be updated. Otherwise it makes little sense.
Wietse
