Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1468
Views
25
Helpful
3
Replies

Enable TLS certificate for outbound emails in ESA

Go to solution
mithu
Level 1
Level 1

‎03-08-2022 07:14 PM

The environment has two A records which are abc.com and xyz.com. In the primary site they have two ESA appliances and DR having a single ESA appliance, for mail delivery they configured MX record as below, 
 

                mx1.abc.com                    -Primary

                mx2.abc.com                    -Primary

                mx3.abc.com                    - DR

               

                mx1.xyz.com                    -Primary

                mx2.xyz.com                    -Primary

                mx3.xyz.com                    - DR

 

If I need to enable TLS encryption for outbound email, do I need to purchase multiple certificates from third party certificate authority? or Please assist me with high level concept with the steps.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to mithu

‎03-09-2022 08:06 PM

The cert needs to match the name in the A records, not the IP.


So either 1 cert that has all of the names in it.
Or 2 wildcard certs, one for Abc.com and one for xyz.com
Or 6 certs, one for each box.


Think of these like web servers, cert needs to match the name that a user puts in the browser. Same concept.

View solution in original post

3 Replies 3

Go to solution
Ken Stieers
VIP
VIP

‎03-09-2022 08:43 AM

Ok... to be clear... MX records look like this:
Abc.com. 21600 IN MX 10 mx1.abc.com
Abc.com. 21600 IN MX 10 mx2.abc.com
Abc.com. 21600 IN MX 10 mx3.abc.com
And then the A records should look like this:
Mx1.abc.com. 21600 IN A 10.10.10.1
Mx2.abc.com. 21600 IN A 10.10.10.2
Mx3.abc.com. 21600 IN A 10.30.10.1

You want the certificate to match the A records... so with the 2 domain names, you either need a UCC/SAN cert, with the 6 names in it, or 2 wildcard certs, one for abc.com, one for xyz.com

Go to solution
mithu
Level 1
Level 1

‎03-09-2022 07:10 PM

Yes you are right, MX record configured same as you mentioned. First of all I want to know why we need to certificate for one domain, whether certificate is binding with IP or A record? because single A record but three IPs (two devices in cluster setup)

Go to solution
Ken Stieers
VIP
VIP
In response to mithu

‎03-09-2022 08:06 PM

The cert needs to match the name in the A records, not the IP.


So either 1 cert that has all of the names in it.
Or 2 wildcard certs, one for Abc.com and one for xyz.com
Or 6 certs, one for each box.


Think of these like web servers, cert needs to match the name that a user puts in the browser. Same concept.

Customers Also Viewed These Support Documents