Ben wrote:
My (also limited, but growing) understanding of a server cert is that you can bind it either to an IP address or to a FQDN. I could just bind it to the IP address, and as long as I only used a single IP address for my imap server (likely) then I'd be okay....... EXCEPT that I'm cheap, and plan to self-sign the CA for all my domains.
What does that have to do with it? You can still self-sign the cert using just the IP as the CN.
That's not so much a problem for my users, so long as they see that the cert for mail.foo.com was signed by the foo.com CA.
But thats just it - if you bind the cert to the IP, they won't see 'mail.foo.com', they'll see the IP address - and they will have to use the IP address for their 'Incoming Mail Server' setting in their MUA as well.
But because I'll have one CA for each domain, I'll again need multiple certs. Which implies that dovecot needs some way to choose which one to use, for each login.
If you want your users to actually see the cert for mail.foo.com is from foo.com CA, then I think your only option is to bind multiple IP addresses to the NIC, and use a different IP for each customer. You could still self-sign them, but at least they'd see the desired CN and CA.
--
Best regards,
Charles