On 3/16/2011 7:21 PM, Ed W wrote:
How big of an issue is a cert with half a dozen or a dozen SANs attached? Do most mail clients handle that sort of certificate properly in order to access their mailboxes?
I think it's been discussed here before, but roughly speaking yes it works fine. I use it on my mailservers and don't obviously see problems with common clients.
I had looked through my mail archives back through 2008, found a threads on the topic.
For posterity's sake (and if anyone wants to dig those up)... One from Jan 2010 titled "Dovecot version 2 and multiple SSL certificates" which is covered in the Wiki (using SNI). Prior to that was a topic from Dec 2009 titled "virtual domains and SSL certificates" (which boiled down to "wait for Dovecot 2.x"). And one from Nov 2009 titled "Dovecot SSL limitations" (which talks about SAN certificates).
I'm just leery of using SNI because it's from circa 2006, so is rather new. So for the next few years it sounds like a SAN cert is still the way to go even with the downsides.
I guess the big issue with SAN certs is that I'll need to make sure to identify every DNS name that could possible be attached to that server's IP and/or services that I'll want to use SSL for (not just Dovecot for POP3/IMAP, but also Postfix, PostgreSQL and Apache).
I think in the archives you might find that there are a few less common clients which aren't happy, but I think all modern MS clients, and the other big alternatives are fine?
I suspect so, all of my expected users are either using Thunderbird 3.x or fairly modern versions of MS Outlook (2003+). The rest can just use the webmail client.
I bought from godaddy because it was quite cheap to get such a cert...
Leaning towards DigiCert at the moment, personally not a GoDaddy fan (and that's a whole different topic). Verisign and Thawte were rather pricey compared to DigiCert. Not terribly interested in the free certs because this SSL cert would also be used for non-company users and we don't want browser warnings to pop up.
Good luck
Ed W
Thanks. I thought I understood this a few years ago when I did my first Dovecot + SSL install, but apparently I did not grasp some of the subtleties with regards to SSL vs STARTTLS.