I am providing email service to a client by outsourcing to another company that provides reseller email hosting. The reseller has this statement in their documentation:
Optionally, you can also add the RFC 6186 DNS entries. If added these entries will allow compatible email clients to automatically configure their hostname and port settings, which makes it easy for new users. Including the IMAPS and POP3S records results in most email clients automatically using SSL encryption for all their email communications.
I am confused about this. Does it mean that I can piggyback off their SSL certificate by setting up these DNS records? I added these types of records to the DNS: SRV _imaps._tcp. Does this get around any invalid certificate issues?
I want the email to be secure, but the DNS is set up as a CNAME record to the reseller (mail.client.com -> CNAME -> mail.reseller.com). So when you try to configure email in an email client, it complains about an invalid certificate (cert doesn't match domain since it's the reseller's).
Is there a way to secure the email using the reseller's certificate without having to buy one of my own?
The SRV records don't get around needing valid SSL certificates with the correct host names.
The SRV records are only used during configuration to identify the correct mail server. For example, the user enters [email protected] in their email client. The email client asks for _imaps.cpp.client.com and gets back whetever you configured. So if you configured mail.client.com that's what the client gets back, and that's what the client uses. So you still need an SSL cert that says mail.client.com.
If instead you set the SRV record to mail.reseller.com, then the email client uses mail.reseller.com and the reseller's certificate will work fine.