[Dovecot] Different IPs should use different ssl-certs/keys
Mark Moseley
moseleymark at gmail.com
Mon Aug 30 19:49:26 EEST 2010
On Sun, Aug 29, 2010 at 3:07 PM, Peer Heinlein
<p.heinlein+dovecot at heinlein-support.de> wrote:
>
> I don't understand how to use multiple keys/certs on different IPs
> without SNI.
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration explains how to use
> different keys for different protocols like POP3 and IMAP.
>
> But how to bind those keys/ on IPs/Ports?
>
> Looks like it is not possible to use ssl_cert inside
>
> service { inet_listener {} }
>
>
> Is it still necessary to run multiple instances like it was in Dovecot
> 1.2.x?
After the initial ssl stuff (ssl=yes, etc), you just need a number of
'local' stanzas, each looking like:
local <ip address> {
ssl_cert = </path/to/ssl.certificate
ssl_key = </path/to/ssl..key
ssl_key_password = </path/to/ssl.key.password # Optional, only
needed if key is encrypted
}
one after another. I haven't tried doing it with different ports
though; I just use iptables to DNAT ports to different private IPs.
And IIRC you still need a top-level "default" ssl_key and ssl_cert as
well, or it'll complain.
More information about the dovecot
mailing list