Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Virtual Email Domains using different SSL Certificates

Greetings everyone,


I operate a Mac OS X Server (10.8.2) which has four static IPs assigned.

Amongst other services, the Server hosts mail for 3 domains and each domain has been assigned a mail server address on a different IP:


173.X.X.216 -> mail.domain1.tld

173.X.X.217 -> mail.domain2.tld

173.X.X.218 -> mail.domain3.tld


Both forward and reverse DNS work fine and email sent and received is operational for all domains using virtual mailboxes authenticated via Open Directory, i.e.:


user1@domain1.tld also receives mail at user1@domain2.tld and user1@domain3.tld


So far, everything is operating as expected.


Where I have run into a roadblock is that I would like the mail server for each domain secured with it's own SSL certificate and the Server app only allows me to define a single certificate to use for all Mail services. Indeed, if in the Certificates section of Server app, if I define the SSL certificate issued for one mail server's hostname/IP, users connecting to the other two servers are warned that the certificate is not trusted because of a hostname/IP mismatch.


Is there any way to use a separate SSL certificate for each virtual email domain, or am I forced into having all users authenticate through one server if I am to avoid the untrusted certificate warning?


Thanks for any insight you can provide!


All the best,

Edward

Mac mini, OS X Server

Posted on Jun 2, 2013 4:45 PM

Reply
Question marked as Best reply

Posted on Jun 3, 2013 1:38 AM

As far as I can see Server.app while it can host multiple (virtual) email domains, does not let you control which IP hosts which and will therefore do it on all of them. The certificate option in Server.app merely lets you select one certificate per service so it would apply to the entire Mail setup i.e. all domains.


The only options I can see are -


  • use a separate phyisical Mac for each IP address and domain which would definitately work
  • or host them in virtual machines
  • or host them all on a single IP address on a single server using a single MX record and certificate for all of them. You can add the additional domains in the subject-alt field of the certificate.


Note: The license for Mountain Lion lets a single Mac host a maximum of two virtual copies of Mountain Lion which would therefore mean a potential three 'servers' on one box.

3 replies
Question marked as Best reply

Jun 3, 2013 1:38 AM in response to ForgotAboutTed

As far as I can see Server.app while it can host multiple (virtual) email domains, does not let you control which IP hosts which and will therefore do it on all of them. The certificate option in Server.app merely lets you select one certificate per service so it would apply to the entire Mail setup i.e. all domains.


The only options I can see are -


  • use a separate phyisical Mac for each IP address and domain which would definitately work
  • or host them in virtual machines
  • or host them all on a single IP address on a single server using a single MX record and certificate for all of them. You can add the additional domains in the subject-alt field of the certificate.


Note: The license for Mountain Lion lets a single Mac host a maximum of two virtual copies of Mountain Lion which would therefore mean a potential three 'servers' on one box.

Jun 3, 2013 2:34 AM in response to ForgotAboutTed

You cannot do what you want. But you can do better.


The certificate that the client expects to receive must have the address of the server it was trying to contact, not another address that might hold a fake site. This is part of the point of certificates: they must indicate not only that the server handles traffic securely, but that the server you reached is the server you think it is and not someone hijacking your conversation.


So if your mail client tries to reach server example.com but instead gets a certificate from a different server this is a huge red flag that someone is trying to do do something sneaky with their email. This is exactly the kind of attack certificates allow you to detect.


But obviously lots of people need to do the thing you do: split up their mail traffic and have different servers responding. So a certificate can have lots of different domains listed in it. In other words, all your different mail servers have the same cert on them, but that single cert lists all of the following:


example.com

mail.domain1.tld

mail.domain2.tld

mail.domain3.tld


in the same certificate. No matter which server your mail client ends up talking to, the certificate covers both the server it was trying to talk to, and also whichever server generated the reply.


This system is called 'Multiple Domain Certs' or 'Multi-Domain Certs' or UCC (Unified Communications Certificates). And most cert-request apps can generate the requests for them including the command-line facility installed on your Mac. Unfortunately the GUI app Apple supply to generate simple cert requests can't, it will only generate a request in the name of the computer it's running on. And the other 'unforunately' is that describing how to do what you want is very complicated and I'm not up to doing it here.


So I can only suggest you learn to use openssl by hand, or possibly contact your cert-issuing body and ask them to help you generate the request you really want. If find a cert expert in your organisation.

Virtual Email Domains using different SSL Certificates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.