Recently I have been trying to secure mail ports 993/995/465 with a certificate. It works when specifying the server hostname, But that's not an option on a shared server with numerous users.
The 'working' setup is:
Protocol domain/hostname Port SSL
Incoming IMAP shared.server.tld 993 SSL
Outgoing SMTP shared.server.tld 465 SSL
I need it to work for mail.domainname. So that the only thing the customers have to do is to turn on SSL in Apple Mail/OUTLOOK/Thunderbird, and or specify the 993/465 ports.
Right now when I specify the mail.domainname I get a certificate mismatch, because the cert is for shared.server.tld and not mail.domainname
How do I secure the mail.domainname ports with a certificate specified for shared.server.tld?
We have tried with a srv DNS record, and are looking to get this working with a autodiscover.
Get a certificate with Subject Alternate Names for each of the hostnames involved - these are often sold as 'multi-domain' or 'multi-host' SSL certificates.
The hostname and a subject name MUST match, otherwise you are not protecting against MITM - after all, if they could differ, ANY certificate validly signed by a root CA would work for any host.
Better, just get a cert from Lets Encrypt with whatever domains and subdomains you need (including mail.whatever-- and autodiscover.whatever though its not mandatory). You'll have to renew every 90 days buts it's free, and better security to renew more often anyway, since you get a fresh cert. There are ways of renewing automagically as well, so depending on your setup and needs it might be worth it.