There was a thread earlier this year that noted a difficulty in modifying dovecot to handle multiple domain certificates. This is a proposal that may require only minor modifications.
Virtual domains can be set up with a unique ip address for each server; mail.domain1.tld ###.###.###.1, mail.domain2.tld ###.###.###.2, etc. Users are instructed to enter 'mail.domain?.tld' for their imap server.
When an SSL TCP connection is established on port 993, the server program will know the IP # that was used for the connection and can use getnameinfo to extract the domain name (%d). This can then be used to build a specific reference to the certificate to be used, prior to responding to CLIENT_HELLO. Something like /etc/ssl/%d/[certs|private]/dovecot.pem
One technique would be to include this in multiple dovecot.conf listen parameters read on startup, similar to tpop3d:
listen = ###.###.###.1:993(domain1.tld);tls=stls,\
/etc/ssl/domain1.tld/certs/dovecot.pem,\
/etc/ssl/domain1.tld/private/dovecot.pem
listen = ###.###.###.2:993(domain2.tld);tls=stls,\
/etc/ssl/domain2.tld/certs/dovecot.pem,\
/etc/ssl/domain2.tld/private/dovecot.pemAlternatively, as virtual servers almost always use some form of lookup (in my case mysql) the certificate used could be determined at time of connection, similar to the way ssl_ca is handled. For example:
user_query = SELECT '125'as uid, '125' as gid, maildir as home, '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/dovecot.pem as priv FROM mailbox WHERE username = '%u'
In this manner the certificate returned would match the server ip/FQDN and can also be customized for the specific domain involved. Seeing their own domain name as the CN for both the certificate and CA goes a long way to establish credibility for most secure email users.
Could this be done?
-- Jim Flowersjflowers@ezo.net