[Dovecot] SSL Certificates and multiple domain names
How can I have Dovecot either return a different certificate for each domain/hostname or a certificate that supports multiple names? I currently access my imap server through two different hostnames and three domain names.
Daniel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am Mittwoch, 14. Juli 2004 20:34 schrieb Daniel L. Miller:
How can I have Dovecot either return a different certificate for each domain/hostname or a certificate that supports multiple names? I
Not at all, AFAIK, but that's a limitation of SSL / X.509 certificates and none of Dovecot.
Greetings,
Gunter
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- http://aachen.uni-dsl.de/ - Der direkte Draht in's Hochschulnetz! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The Librarian of Unseen University had unilaterally decided to aid comprehension by producing an Orang-utan/Human Dictionary. He'd been working on it for three months. It wasn't easy. He'd got as far as "Oook". -- (Terry Pratchett, Men At Arms) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)PGP-verschlüsselte Mails bevorzugt! +
iD8DBQFA9Zou0ORHvREo8l8RAvL+AKCNZxguOoyRGfooyr3Pe0CZMw/BcQCghdvx AdojFwHFaVzX2R0N+ysA7vw= =Z3kJ -----END PGP SIGNATURE-----
On 14.7.2004, at 23:40, Gunter Ohrner wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am Mittwoch, 14. Juli 2004 20:34 schrieb Daniel L. Miller:
How can I have Dovecot either return a different certificate for each domain/hostname or a certificate that supports multiple names? I
Not at all, AFAIK, but that's a limitation of SSL / X.509 certificates and none of Dovecot.
Dovecot could support different certificates based on local or remote IPs. ssl_cert_file and ssl_key_file could contain %l and %r variables. That would require some changes though. Currently login process initializes SSL and chroots itself then. Per-IP certificates would require dropping privileges only after connection has been accepted, so right certificate files could be opened.
I don't think it's worth the trouble. At least not yet.
On 2004-07-15 00:11:36 +0300, Timo Sirainen wrote:
Am Mittwoch, 14. Juli 2004 20:34 schrieb Daniel L. Miller:
How can I have Dovecot either return a different certificate for each domain/hostname or a certificate that supports multiple names? I
Not at all, AFAIK, but that's a limitation of SSL / X.509 certificates and none of Dovecot.
Dovecot could support different certificates based on local or remote IPs. ssl_cert_file and ssl_key_file could contain %l and %r variables. That would require some changes though. Currently login process initializes SSL and chroots itself then. Per-IP certificates would require dropping privileges only after connection has been accepted, so right certificate files could be opened.
I don't think it's worth the trouble. At least not yet.
how about binding dovecot to the specific ip and use a different cert foreach dovecot instance.
btw: will there kind of ip based vhosting within a single dovecot instance?
darix
-- irssi - the client of the smart and beautiful people
http://www.irssi.de/On Thu, 2004-07-15 at 00:22, Marcus Rueckert wrote:
Dovecot could support different certificates based on local or remote IPs. ssl_cert_file and ssl_key_file could contain %l and %r variables. That would require some changes though. Currently login process initializes SSL and chroots itself then. Per-IP certificates would require dropping privileges only after connection has been accepted, so right certificate files could be opened.
I don't think it's worth the trouble. At least not yet.
how about binding dovecot to the specific ip and use a different cert foreach dovecot instance.
btw: will there kind of ip based vhosting within a single dovecot instance?
1.0-tests support "virtual servers", where this is possible:
server foo { listen = 1.2.3.4 ssl_cert_file = /etc/ssl/certs/foo.cer }
server bar { listen = 1.2.3.5 ssl_cert_file = /etc/ssl/certs/bar.cer }
But it creates separate login processes for each server, so it'd be nicer if each login process just listened in all interfaces and just selected the certificate based on what IP the client connected to.
participants (4)
-
Daniel L. Miller
-
Gunter Ohrner
-
Marcus Rueckert
-
Timo Sirainen