does mx server require a matching ssl certificate
I have deployed the correct certificates for IMAP/SMTP servers for the email service.
But MX server is located in another platform where doesn't have a valid certificate for the MX domain.
Does this matter? The answer is NO.
One of Postfix developers says:
Unless you're doing DANE or its runt sibling MTA-STS any certificate
will do, senders will generally ignore its content. A small number
of sending systems implement unauthenticated opportunistic TLS badly,
and abort TLS handshakes when the certificate name does not match the
MX hostname. They typically then fall back to clear text.
Bottom line, a matching name in the certificate is desirable, but
And another email geek says:
MTAs generally don't
care if the MX domain doesn't match the certificate on
port 25. But MUAs generally do care if the hostname
they are configured to connect to doesn't match the
certificate on whatever ports they connect to: e.g.,
465/587/993/995. At least, I've seen that with
So MX server on port 25 doesn't require a matching SSL certificate though that's desired.
But the servers for clients such as thunderbird to connect should have the correct and matching SSL certificates.