Messaging Gateway

 View Only

Is there a way to request a SAN certificate for Brightmail?

  • 1.  Is there a way to request a SAN certificate for Brightmail?

    Posted Jul 23, 2014 09:35 AM

    Hi all.

     

    A big client of ours insists on using TLS-enforce-and-verify with us.

     

    We have 4 Brightmail scanner appliances, and each appliance has its own cert, based on the physical appliance name.

     

    However when the client tries to verify our certs, they are keying in on our MX records which don't match our physical appliance names.   And I don't want our MX records to match the physical appliance names.   Besides, because each appliance has two IPs (inbound and outbound), we have two MXes per appliance:  for example mail1a.xxxxx.com (10) and mail1b.xxxxx.com (100).   Our firewall doesn't allow inbound port 25 to mail1b.xxxxx.com. 

    Why did we do that?  because when we send outbound mail, some companies check reverse MX records as a part of their antispam effort.

     

    But now, with this client who wants to verify our TLS certs, they are insisting on verifying the MX names (mail1a.xxxxx.com and mail1b.xxxxx.com, etc), which are not listed on our certs.

     

    The easiest answer would be for us to generate new certs with SANs (MXes listed as SANs), but I don't see this option in the Administration/Certificates/Add page.

     

    Is there any workaround for this?