[Dovecot] Multiple certificates

Steffen Kaiser skdovecot at smail.inf.fh-bonn-rhein-sieg.de
Mon Oct 30 10:49:33 UTC 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 30 Oct 2006, Phill Edwards wrote:

>> > Login failure: Certificate failure for XXX.homelinux.com: self signed
>> > certificate: /C=AU/ST=NSW/L=Sydney/O=Edwards/OU=IMAP
>> > server/CN=imap.edwards.home/emailAddress=philledwards at gmail.com
>> 
>> Which side gives you this error? Dovecot or xs2mail.com?
>
> xs2mail
>
>> IMHO: The error looks like the "self signed" part is the problem. You
>> probably need to store the public certificate on xs2mail.com, in order the
>> server can validate it.
>> Do you use the _same_ certificate with Dovecot as with UW-Imap? This
>> should give you the same situation as before.
>
> Not the same cert, but the Dovecot one was generated in the same way
> as the UW-imap one.

So, I'd recommend to try the _same_ one.
Did you've storred the old certificate on xs2mail?

>> > <snip>
>> > 1.0-tests support "virtual servers", where this is possible:
>> >
>> > server foo {
>> > listen = 1.2.3.4
>> > ssl_cert_file = /etc/ssl/certs/foo.cer
>> > }
>> >
>> > server bar {
>> > listen = 1.2.3.5
>> > ssl_cert_file = /etc/ssl/certs/bar.cer
>> > }
>> > </snip>
>> >
>> > Can anyone help me figure this out?
>> 
>> Give your server two IP addresses, then bind a Dovecot with certificate
>> foo.cer on one address, and a Dovecot with bar.cer on the other one.
>
> This could be good as it already has 2 addresses - a private
> 192.168.x.x address and a public IP address from the cable ISP. So do
> I just put the lines above (with the correct addresses) in   to
> /etc/dovecot.conf?

You will then have one certificate applied to the external IP and the 
other one to the internal one. This is not what you want, I guess. The 
certifactes apply to one particular interface, they are not shared.

I mean you need not no certifacte on the internal LAN, do you?

When you need to access your IMAP host from outside your LAN with two 
different names protected by certificate, you need two different official 
(non-private) IP addresses, because you can only bind one certificate to 
one interface with SSL.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iQEVAwUBRUXYwS9SORjhbDpvAQKXIggAtG/VtOAHfnH07m1r23DP9OoQSHeDs2h6
5OZa47dx4aJoxgML8R2o8UkgL/e1iB2HkT84d3JnI8dU08jYYfB7k54EkqMrxO2d
qGWVxQ7le25kjnwJL2+q6i2dM1sGGm6cZ+vIGJoyH9xG2x26FsGPIqdpl3aKNEbP
+hHuNexl6KeCocHr3Jd8cmUm/DKvS6s9mcFHuU/S54C277WnGlc3ZY3fjNGeQCPr
2O3Ji7vW0AewYhIvDGwS4VZG7LsZTPyXwuP2M4v9GJ7XyXw4c81+2dEAUQRgHdax
s8hVHobH+jlvYDz0uUVMcE6LhUoq3hPXtUWM0l7wAafpJuBQ7aZqVQ==
=4zi4
-----END PGP SIGNATURE-----


More information about the dovecot mailing list