Hi all.

We have four Brightmail gateway appliances. Their physical host names are not published in external DNS.   The MX records use DNS aliases that point to these gateways and are different from their actual physical host names.

Now first problem - some companies were not able to receive mail from us because the physical host names (advertised by the HELO banner) did not match the externally published DNS aliases.

So I went to the SMTP configuration, Advanced settings for each gateway and changed the MTA name field to show the externally published DNS alias. This effectively changed the HELO banner.

Great.

But now second problem. This change broke our TLS. This is because our TLS certs are generated based on the physical names of the gateway hosts.

Is there a way to have both - working TLS and HELO banner that other companies will like?