[Dovecot] Enforcing TLS
Stewart Dean
sdean at bard.edu
Fri Jan 9 16:25:46 EET 2009
Dunno if I'm talking about the right thing or if this would help, but...
we have gone over to a single wildcard certficate for everything in the
*.bard.edu domain (from Digicert)...this costs $495 for a single year,
less for multiple years.
Then everything coming at a machine of the format: <somename>.bard.edu
comes up valid. If the hostname is of the format
<somename1>.<somename2>.bard.edu (or
<somename1>.<somename2>...<somenameN>.bard.edu) , then you have to
explicitly list it when submitting the CSR, but you can list up 10 host
names for the certificate you generate for that machine when submitting
the CSR........
Jan-Frode Myklebust wrote:
> On 2009-01-06, Timo Sirainen <tss at iki.fi> wrote:
>
> We're afraid that if we enable STARTTLS, many of our existing clients will
> automatically try using SSL towards the wrong name, and get ugly SSL warnings
> about certifcate mismatch.
>
>
> -jf
>
--
==== Once upon a time, the Internet was a friendly,
neighbors-helping-neighbors small town, and no one locked their doors.
Now it's like an apartment in Bed-Stuy: you need three heavy duty
pick-proof locks, one of those braces that goes from the lock to the
floor, and bars on the windows.... ==== Stewart Dean, Unix System Admin,
Bard College, New York 12504 sdean at bard.edu voice: 845-758-7475, fax:
845-758-7035
More information about the dovecot
mailing list