undefined | Better HN

0 pointsusefulcat3y ago0 comments

Yeah, I've been doing exactly this for over 20 years. The only problem I can recall is related to the fact that the hosting provider uses a single SSL cert for the machine that hosts my domain (and many others, presumably), so of course the cert doesn't match my domain name. It's pretty easy to work around, and I only have to deal with it every few years when they do a hardware upgrade, which sometimes means moving my domain to a different machine.

0 comments

3 comments · 2 top-level

kro3y ago· 1 in thread

The MX servers cert in my experience does not need to include your email domain name .

usefulcatOP3y ago

I believe you're correct. I should clarify that the SSL cert problems I have are only related to my client connecting to the server to send or receive messages.

pretext-13y ago

Certs for MX servers are supposed to have the MX as subject or SAN, not your email domain. It's important when the sender enforces encryption with a valid cert (e.g. MTA-STS, or config in the mail server, or many hosted solutions like Google Workspace also support enforcing this for selected or all domains).

Example:

example.com. MX aspmx.l.google.com.

Cert should have aspmx.l.google.com as subject or SAN.

j / k navigate · click thread line to collapse