[Dovecot] Dovecot SSL limitations
Jose Celestino
japc at co.sapo.pt
Mon Nov 30 17:50:00 EET 2009
On Seg, 2009-11-30 at 16:34 +0100, Thomas Hummel wrote:
> Hello Timo,
>
> I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
> handling is correct :
>
> SSL does not provide the server any mechanism to choose which certificate
> it must send relatively to the name the client is using. Thus, if you want to
> use different certificates, you have to listen to different addresses. This is
> an SSL limitation, not a dovecot nor IMAP limitation.
>
> This is the reason why it's possible to use different certificates for IMAP
> and POP3. But it seems to work only with those two :
>
> As a matter of fact, even if you listen to different addresses, how would
> you tell dovecot to send this certificate for this address and that certificate
> for that address, since there is no IP dependent section (as in apache IP-based
> virtual host for instance) ? It seems the only way would be to have more than
> one instance of dovecot (several dovecot with different config files).
>
> The problem is that some clients may be configured with mail.my.domain, some
> others with imap.my.domain, ...etc... Hence the need to have different
> certificates with those different names as cn.
>
The client compares the CN of the certificate with the hostname it has
configured and warns on a mismatch. What you can do is have multiple
subjects certificate, that is a certificate again with a single CN but
with multiple alt subjects that should cover all the names that server
may have. The client should support those kind of certificates, of
course.
-- Jose Celestino SAPO.pt::Systems http://www.sapo.pt
--------------------------------------------------------------------- *
Progress (n.): The process through which Usenet has evolved from smart
people in front of dumb terminals to dumb people in front of smart
terminals.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20091130/2199090e/attachment.bin
More information about the dovecot
mailing list