Getting ready to redo our mail server setup and I'm trying to wrap my head around the ins and outs and pratfalls involved in SSL, multiple domains, and Dovecot. I've taken a look at:
http://wiki2.dovecot.org/SSL/DovecotConfiguration
My basic understanding at this point is that:
With SSL for IMAP/POP3, it is limited to one certificate per IP address, because the SSL process starts as soon as the client opens the socket to the IP address. In order to support multiple domains / server names, you have to rely on SAN (Subject Alternative Names) in the server's SSL certificate.
If I use STARTTLS for IMAP/POP3 and Dovecot 2.x, then the SNI process will allow the client to specify that they want to talk to mail server XYZ and Dovecot will hand the correct certificate to the client. However, a lot of devices don't support SNI yet so this is fraught with peril and incompatibilities.
So it seems like if I have fewer IP addresses then mail server names, I should stick with a single SSL cert and use SANs. (Wildcard certs are not an option due to the top level domain being different.)
How big of an issue is a cert with half a dozen or a dozen SANs attached? Do most mail clients handle that sort of certificate properly in order to access their mailboxes?
Reference links:
http://www.digicert.com/subject-alternative-name-compatibility.htm