[Dovecot] Two server certificates for two common names
Δημήτριος Καραπιπέρης
dimkar at thessaloniki.gr
Wed Aug 26 22:13:31 EEST 2009
Basically, server is not expecting any kind of domain on ssl handshake,
but what if the server can serve more than one cert, so that clients
using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot
instance but from different network segments
could be certified.
mail1.dom.gr -> 10.65.0.45 (private one)
mail2.dom.gr -> 84.205.252.78
(random numbers)
In essence, it is the same dovecot instance.
Dimitrios
O/H Ed W έγραψε:
> Δημήτριος Καραπιπέρης wrote:
>> So ,
>> on one dovecot instance, it is impossible to have two ssl
>> certificates for two distinct common names.
>> right?
>>
>
> You are kind of asking two questions here:
>
> 1) SSL as it stands maps one IP address to one certificate. The basic
> issue is that, bar a few exceptions, there is no clear way to connect
> to an IP address and say what "domain" you are expecting to see on the
> other end, hence allowing the other end to present the domain specific
> cert. This is currently not fixable, but you can work around it by
> getting one cert with all your CNs on it (see Subject Alt Name)
>
> 2) Does Dovecot support running on 2 ips with different certs on each
> IP? I think the answer is currently no? You could run two dovecot
> instances though... I believe this is on the todo list for a later
> version, but as yet not that high up the priority list? (Timo?) So
> this bit is fixable in various ways
>
> Does that help?
>
> Ed W
>
More information about the dovecot
mailing list