[Dovecot] Enforcing TLS

Stewart Dean sdean at bard.edu
Fri Jan 9 16:25:46 EET 2009


Dunno if I'm talking about the right thing or if this would help, but...

we have gone over to a single wildcard certficate for everything in the 
*.bard.edu domain (from Digicert)...this costs $495 for a single year, 
less for multiple years.

Then everything coming at a machine of the format: <somename>.bard.edu 
comes up valid. If the hostname is of the format 
<somename1>.<somename2>.bard.edu (or 
<somename1>.<somename2>...<somenameN>.bard.edu) , then you have to 
explicitly list it when submitting the CSR, but you can list up 10 host 
names for the certificate you generate for that machine when submitting 
the CSR........

Jan-Frode Myklebust wrote:
> On 2009-01-06, Timo Sirainen <tss at iki.fi> wrote:
>
> We're afraid that if we enable STARTTLS, many of our existing clients will
> automatically try using SSL towards the wrong name, and get ugly SSL warnings
> about certifcate mismatch.
>
>
>   -jf
>   


-- 
==== Once upon a time, the Internet was a friendly, 
neighbors-helping-neighbors small town, and no one locked their doors. 
Now it's like an apartment in Bed-Stuy: you need three heavy duty 
pick-proof locks, one of those braces that goes from the lock to the 
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin, 
Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax: 
845-758-7035


More information about the dovecot mailing list