Add mail.cnx.email client alias as a cert SAN
A mail.cnx.email CNAME (-> mx1.cnx.email) lets clients (Thunderbird etc.) use a friendly hostname for submission/IMAP. To avoid a TLS name mismatch the cert now carries mail.cnx.email as a SAN, so the acme_mx1 key is authorized to write _acme-challenge.mail too. The MX still points at mx1.cnx.email and --reuse-key keeps the DANE TLSA digest valid across the re-issue.
This commit is contained in:
Berwn
+7
-1
@@ -19,6 +19,9 @@ let
|
||||
hosts = import ./hosts.nix;
|
||||
fqdn = "mx1.cnx.email";
|
||||
mtaStsHost = "mta-sts.cnx.email";
|
||||
# Client-facing alias (CNAME -> mx1) so Thunderbird etc. can use mail.cnx.email
|
||||
# for submission/IMAP; added as a cert SAN so TLS validates against that name.
|
||||
clientHost = "mail.cnx.email";
|
||||
|
||||
# MTA-STS policy served at https://mta-sts.cnx.email/.well-known/mta-sts.txt.
|
||||
# enforce = a sending MTA that fetched this must use a valid, MX-matching TLS
|
||||
@@ -94,7 +97,10 @@ in
|
||||
# web server and no inbound HTTP needed, so port 80 stays closed. Add the
|
||||
# MTA-STS host as a SAN so the one cert also covers the policy endpoint.
|
||||
certificateScheme = "acme";
|
||||
certificateDomains = [ mtaStsHost ];
|
||||
certificateDomains = [
|
||||
mtaStsHost
|
||||
clientHost
|
||||
];
|
||||
|
||||
dkimSelector = "mail";
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user