Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4140
Views
0
Helpful
5
Replies

SSL Certificate Which hostname to use

Go to solution
john-copeland
Level 1
Level 1

‎03-22-2010 09:06 AM

We are looking at implementing TLS on our C360 Email Appliances. I have looked into generating a CSR and am fine except for the hostname to use in the common name field.

I know that with secure websites it is the name of the website followed by the domain e.g. www.externaldomain.com, portal.externaldomain.com.

What hostname do you use with TLS with the Ironport email appliance?

I think that it is the external MX record name (mail.externaldomain.com) as this is what other email systems would be connecting to, but there is also the FQDN of the Ironport appliance and  the hostname of the IP Interface for outgoing email (as this appears in the 'Received from' field when sending external emails).

Any advice would be much appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
steven_geerts
Level 1
Level 1

‎04-06-2010 03:16 PM

hello John,

You should use the name defined in the PTR (reversed) DNS record of the sending IP address.

normally that should be the same as the hostname used for your public interface and also the hostname used in your (E)HLO greating.

Steven

View solution in original post

0 Helpful
5 Replies 5

Go to solution
steven_geerts
Level 1
Level 1

‎04-06-2010 03:16 PM

hello John,

You should use the name defined in the PTR (reversed) DNS record of the sending IP address.

normally that should be the same as the hostname used for your public interface and also the hostname used in your (E)HLO greating.

Steven

0 Helpful

Go to solution
RYAN KIM
Level 1
Level 1

‎04-06-2010 03:32 PM

I ended up specifying both names, and using a Verisign purchased certificate and specified Subject Alternative Naming (SAN), which allows you to specify two or more commonnames for the certificate.  In my case, I have an internal listener, with an internal hostname, and an external listener, with an external hostname.  I was able to use a single certificate to satisfy both interfaces, of course, Verisign charges your for 2 certificates, if you specify a common name and a SAN.

I'm guessing other vendors offer something similar to Verisign's SAN.

Ryan

0 Helpful

Go to solution
Ferenc Hevesi
Level 1
Level 1
In response to RYAN KIM

‎04-09-2010 02:26 AM

It's worth noting that you could use separate certificates for receiving and sending e-mails as well as for HTTPS management and LDAPS. So in your case you might have used a separate no-cost self-signed certificate for the internal listener assuming that your security policy allows using self-signed certs and that would not pose additional security risks for your environment.

0 Helpful

Go to solution
john-copeland
Level 1
Level 1

‎04-07-2010 02:32 AM

I decided to go ahead with a free trial SSL certificate using the external MX record name as the hostname as this seemed to be the logical solution and it is working like a charm. Just need to buy the real thing in 90 days time.

0 Helpful

Go to solution
Kuriakose Varghese
Level 1
Level 1
In response to john-copeland

‎04-23-2010 12:24 PM

SSL Certificate should use the hostname appears in the external MX record so that outside hosts trust the certificate presented by your appliance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents