[Dovecot] Dovecot SSL limitations
Thomas Hummel
hummel at pasteur.fr
Mon Nov 30 17:34:24 EET 2009
Hello Timo,
I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
handling is correct :
SSL does not provide the server any mechanism to choose which certificate
it must send relatively to the name the client is using. Thus, if you want to
use different certificates, you have to listen to different addresses. This is
an SSL limitation, not a dovecot nor IMAP limitation.
This is the reason why it's possible to use different certificates for IMAP
and POP3. But it seems to work only with those two :
As a matter of fact, even if you listen to different addresses, how would
you tell dovecot to send this certificate for this address and that certificate
for that address, since there is no IP dependent section (as in apache IP-based
virtual host for instance) ? It seems the only way would be to have more than
one instance of dovecot (several dovecot with different config files).
The problem is that some clients may be configured with mail.my.domain, some
others with imap.my.domain, ...etc... Hence the need to have different
certificates with those different names as cn.
--
Thomas Hummel | Institut Pasteur
<hummel at pasteur.fr> | Pôle informatique - systèmes et réseau
More information about the dovecot
mailing list