[Dovecot] Dovecot SSL limitations

AllenJB dovecot at allenjb.me.uk
Mon Nov 30 23:32:24 EET 2009


Thomas Hummel wrote:
> Hello Timo,
> 
> I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
> handling is correct :
> 
>     SSL does not provide the server any mechanism to choose which certificate
>     it must send relatively to the name the client is using. Thus, if you want to
>     use different certificates, you have to listen to different addresses. This is
>     an SSL limitation, not a dovecot nor IMAP limitation.
> 
>     This is the reason why it's possible to use different certificates for IMAP
>     and POP3.  But it seems to work only with those two :
> 
>     As a matter of fact, even if you listen to different addresses, how would
>     you tell dovecot to send this certificate for this address and that certificate
>     for that address, since there is no IP dependent section (as in apache IP-based
>     virtual host for instance) ? It seems the only way would be to have more than
>     one instance of dovecot (several dovecot with different config files).
> 
> The problem is that some clients may be configured with mail.my.domain, some
> others with imap.my.domain, ...etc... Hence the need to have different
> certificates with those different names as cn.
> 

Possibly off-topic from what the OP wants, but couldn't TLS Server Name
Indication (SNI) be used to overcome the single server certificate
limitation?

AllenJB


More information about the dovecot mailing list