[Dovecot] virtual domains and SSL certificates
John Simpson
jms1 at jms1.net
Thu Aug 7 19:31:25 EEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2008-08-07, at 1143, Kacper Wysocki wrote:
>
> The problem is that the configuration file specifies only one
> certificate file for dovecot, which means only one Common Name, which
> means one cannot provide one server cert that will match mail.foo.com
> AND mail.bar.com, and either mary at foo.com or bob at bar.com will get a
> "Security Error: Domain Name Mismatch" in their mail client when
> connecting through IMAPS.
>
> How can I avoid this domain name mismatch error?
if you're using normal SSL (usually on port 993) each IP:PORT
combination on the server can only have one SSL certificate. this is
because the SSL negotiations happen before the internal protocol (in
this case, IMAP) ever starts. the SSL protocol does not provide any
way for the client to tell the server which hostname they're trying to
connect to- the only thing the server knows is what IP and port the
client connected to.
if you're using STARTTLS, the connection starts as normal, but instead
of sending login credentials, the client sends a "STARTTLS" command of
some kind, the server says OK, and then starts SSL negotiations within
the existing socket. in that kind of scenario it's theoretically
possible for the client to tell the server which hostname it wants (so
the server can select the appropriate certificate) however i don't
think the IMAP protocol has that capability.
this is the same kind of issue people run into with other SSL-
encrypted services, such as SMTP-SSL or HTTPS. the problem is that
when the SSL protocol was designed, they didn't think about a server
having a need for multiple certificates, and there are too many
existing SSL implementations in use right now to think realistically
about changing the protocol at such a basic level.
it might be possible to construct a special certificate with multiple
CN= fields, or with multiple "alternate name" fields (i forget the X.
509 key for this field) however these are non-standard, and there's no
guarantee that all clients will honour, or even understand, such
certificates.
what i do on my own server is just tell all of my clients that they
must use the name "secure.jms1.net" as their IMAP-SSL and SMTP-SSL
server names. it doesn't affect the appearance of their outgoing mail
at all (other than the "Received" headers, which would happen anyway.)
- --------------------------------------------------------
| John M. Simpson -- KG4ZOW -- Programmer At Large |
| http://www.jms1.net/ <jms1 at jms1.net> |
- --------------------------------------------------------
| Hope for America -- http://www.ronpaul2008.com/ |
- --------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
iD8DBQFImyNej42MmpAUrRoRAnAuAJ0VnIwa6jpkwODwlfcGJL6dK/c9AQCdF9lq
bQSR7ebRO4WBkV8HSpgMeC0=
=Gue5
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list