Multiple certificate option
On 2019-09-07 12:25, remo--- via dovecot wrote:
What is the best way to adopt multiple certs?
Thanks.
/etc/dovecot/conf.d/10-ssl.conf
Primary SSL certificate:
# SSL/TLS support: yes, no, required.
("yes" or "required" - I use required)
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. ssl_min_protocol = TLSv1
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert =
Secondary SSL certificates (I add this at the bottom of the file)
local_name mail.domain2.tld {
ssl_cert = </etc/ssl/private/mail-domain2-tld.crt
ssl_key = </etc/ssl/private/mail-domain2-tld.key}
Thanks Michael I will check with the free cert lets encrypt to test it.
Remo
Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot dovecot@dovecot.org ha scritto:
On 2019-09-07 12:25, remo--- via dovecot wrote:
What is the best way to adopt multiple certs? Thanks.
/etc/dovecot/conf.d/10-ssl.conf
Primary SSL certificate:
# SSL/TLS support: yes, no, required.
#ssl = yes ssl = required ("yes" or "required" - I use required)
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. ssl_min_protocol = TLSv1
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert =
Secondary SSL certificates (I add this at the bottom of the file)
local_name mail.domain2.tld {
ssl_cert = </etc/ssl/private/mail-domain2-tld.crt ssl_key = </etc/ssl/private/mail-domain2-tld.key}
On Sat, 7 Sep 2019, Remo Mattei wrote:
Thanks Michael I will check with the free cert lets encrypt to test it.
If all your certificate subjects are domains under your control, such as when they are aliases of each other (e.g. smtp.domain.tld, pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you may find it more convenient to obtain a SAN (Subject Name Alternative) certificate, which allows multiple subjects to be specified in one certificate. Alternatively, you can also get a wildcard domain if all your subjects are in the same domain.
There are obvious advantages to this: one (and only one) certificate to add to the dovecot configuration, one renewal every ~60 days requiring one restart of the dovecot service (minimizes disruptions), etc.
A disadvantages is it's a little trickier to set up your ACME bot (and maybe your DNS service) to get a wildcard/SAN certificate.
Joseph Tam jtam.home@gmail.com
Hi I have some problem with SNI and dovecot 2.2.36.4
Server debian 9.x ad dovecot-2.2.36.4
default server ssl cert is a wildcard like *.domain.com (digicert)
ssl_ca = /var/control/cert.pem ssl_cert =
I added for test another domain (in dns to) for another ssl (letsencrypt)
from https://wiki.dovecot.org/SSL/DovecotConfiguration
like:
local_name imap.mail.test.domain.com { ssl_cert =
doveconf -n:
local_name imap.mail.test.domain.com { ssl_cert =
Now I test like: openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
and dovecot show me default server cert (digicert) but not dedicated from letsencrypt
In DNS domain imap.mail.test.domain.com is not match *.domain.com
Any idea ?
Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot dovecot@dovecot.org a écrit :
Hi I have some problem with SNI and dovecot 2.2.36.4
Server debian 9.x ad dovecot-2.2.36.4
default server ssl cert is a wildcard like *.domain.com (digicert)
ssl_ca = /var/control/cert.pem ssl_cert =
I added for test another domain (in dns to) for another ssl (letsencrypt)
from https://wiki.dovecot.org/SSL/DovecotConfiguration
like:
local_name imap.mail.test.domain.com { ssl_cert =
doveconf -n:
local_name imap.mail.test.domain.com { ssl_cert =
Now I test like: openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
and dovecot show me default server cert (digicert) but not dedicated from letsencrypt
In DNS domain imap.mail.test.domain.com is not match *.domain.com
Any idea ?
AFAIK, the -connect option of openssl is not use for SNI, but only for IP resolution. To enable SNI, you have to explicitly pass it using '-servername' parameter.
Maciej Milaszewski IQ PL via dovecot dovecot@dovecot.org (Fr 13 Sep 2019 12:10:39 CEST):
openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
Use -servername <your sni name> for testing.
-- Heiko
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
What is the best way to adopt multiple certs?
I have a setup that creates letsencrypt certs for each customer domain. To automate this I have the following at the end of conf.d/10-ssl.conf
!include ssl.d/*.conf
This includes any .conf file under conf.d/ssl.d
Now it is a simple matter to add and remove certificates for each domain as the letsencrypt job runs. Each config file looks like this
$cat ssl.d/somedomain_co_za.conf local_name imap.somedomain.co.za { ssl_cert =
YMMV.
-- Greg
Hi This is for all dovecot version ?
On 10.09.2019 08:05, Greg Wildman via dovecot wrote:
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
What is the best way to adopt multiple certs? I have a setup that creates letsencrypt certs for each customer domain. To automate this I have the following at the end of conf.d/10-ssl.conf
!include ssl.d/*.conf
This includes any .conf file under conf.d/ssl.d
Now it is a simple matter to add and remove certificates for each domain as the letsencrypt job runs. Each config file looks like this
$cat ssl.d/somedomain_co_za.conf local_name imap.somedomain.co.za { ssl_cert =
YMMV.
-- Maciej Miłaszewski Starszy Administrator Systemowy IQ PL Sp. z o.o.
Biuro Obsługi Klienta: e-mail: bok@iq.pl tel.: +48 58 326 09 90 - 94 fax: +48 58 326 09 99
Dział pomocy: https://www.iq.pl/pomoc Informacja dotycząca przetwarzania danych osobowych: https://www.iq.pl/kontakt
IQ PL Sp. z o.o. z siedzibą w Gdańsku (80-298), ul. Geodetów 16, KRS 0000007725, Sąd rejestrowy: Sąd Rejonowy w Gdańsku VII Wydział KRS, kapitał zakładowy: 140.000 PLN, NIP 5832736211, REGON 192478853
On Tue, 2019-09-10 at 08:41 +0200, Maciej Milaszewski IQ PL via dovecot wrote:
Hi This is for all dovecot version ?
Not sure. Any version of dovecot that builds it's config from the conf.d folder will work. Not sure on the specific SSL certificate syntax but I have been using the aformentioned config for the last couple of years.
-- Greg
participants (8)
-
Greg Wildman
-
Heiko Schlittermann
-
Jean-Daniel Dupas
-
Joseph Tam
-
Maciej Milaszewski IQ PL
-
Michael Hallager
-
Remo Mattei
-
remo@Mattei.org