[Dovecot] Multiple certificates
I have dovecot version 1.0 relese 0.beta8.2.fc5 installed on my FC5 linux box. It acts as an IMAP server to my home LAN. I connect to it from the home PCs over SSL and have installed a certificate in the domain imap.edwards.home to enable this.
However, I also use a web site called www.xs2mail.com which retrieves the email from my IMAP server (which has a public DNS entry called XXX.homelinux.com) and displays them in a web interface. I used to run uw-imap and this all worked fine. But since I went to Dovecot I can't use that site any more because it gives me this message:
Login failure: Certificate failure for XXX.homelinux.com: self signed certificate: /C=AU/ST=NSW/L=Sydney/O=Edwards/OU=IMAP server/CN=imap.edwards.home/emailAddress=philledwards@gmail.com
I assume it's getting upset because the certificate is for imap.edwards.home but the domain it's connecting to is XXX.homelinux.com. Is there a way to resolve this? I read something about using virtual servers but all I could find is this in a post somewhere - I don't know which file it goes, where in that file etc:
<snip> 1.0-tests support "virtual servers", where this is possible:
server foo { listen = 1.2.3.4 ssl_cert_file = /etc/ssl/certs/foo.cer }
server bar { listen = 1.2.3.5 ssl_cert_file = /etc/ssl/certs/bar.cer } </snip>
Can anyone help me figure this out?
(PS - I can't just set up my own IMAP web interface because I can't run anything on port 80 with my ISP and I can't get out of our company firewall on anything other than port 80).
Thanks in advance, Phill
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Thu, 26 Oct 2006, Phill Edwards wrote:
Hmm, UW-Imap does support only one certificate, too, hence, I'm puzzled why it did worked before.
Which side gives you this error? Dovecot or xs2mail.com? IMHO: The error looks like the "self signed" part is the problem. You probably need to store the public certificate on xs2mail.com, in order the server can validate it. Do you use the _same_ certificate with Dovecot as with UW-Imap? This should give you the same situation as before.
Give your server two IP addresses, then bind a Dovecot with certificate foo.cer on one address, and a Dovecot with bar.cer on the other one.
Because SSL is implemented as tunnel and no symbolical ip name information is passed in IMAP, you can have only one certificate per IP address at maximum. However, most OSes allow you to bind several IP addresses to one physical NIC.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBRUW6+i9SORjhbDpvAQJ4JwgAyjBt/LM2wqEomIXuEqr1iIndv0ZeWtWP soHBJjDy1ea29doOj5M4KHdJXm8wuiYUtWckx9RK68j2AcXvNNZPJrlbLS1nqCzc XE6Qbj/AXChIZ/72+XpSnhkO5lFrH6wtD4py2/tipimvjQCZG2atA9FFUSBJlAV5 puDkhLgXaHU/ehyJs4a+GXmyCnn0MTG5FrtM03Io7aMy+kV2T/3WMA5eyMSKs5bt zSXf36BSV2c8J4hLiPx4bD1ZESuzVIOEqNs3aBMxNZglni00QJBIPR1omMB5ucOq zwOuSp7YU/znAPij8OI4kaRse5SrhKAbf5GU84XFYH0/oFkPWRuatQ== =FxcS -----END PGP SIGNATURE-----
xs2mail
Not the same cert, but the Dovecot one was generated in the same way as the UW-imap one.
This could be good as it already has 2 addresses - a private 192.168.x.x address and a public IP address from the cable ISP. So do I just put the lines above (with the correct addresses) in to /etc/dovecot.conf?
Thanks for the help so far.
Regards, Phill
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 30 Oct 2006, Phill Edwards wrote:
So, I'd recommend to try the _same_ one. Did you've storred the old certificate on xs2mail?
You will then have one certificate applied to the external IP and the other one to the internal one. This is not what you want, I guess. The certifactes apply to one particular interface, they are not shared.
I mean you need not no certifacte on the internal LAN, do you?
When you need to access your IMAP host from outside your LAN with two different names protected by certificate, you need two different official (non-private) IP addresses, because you can only bind one certificate to one interface with SSL.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iQEVAwUBRUXYwS9SORjhbDpvAQKXIggAtG/VtOAHfnH07m1r23DP9OoQSHeDs2h6 5OZa47dx4aJoxgML8R2o8UkgL/e1iB2HkT84d3JnI8dU08jYYfB7k54EkqMrxO2d qGWVxQ7le25kjnwJL2+q6i2dM1sGGm6cZ+vIGJoyH9xG2x26FsGPIqdpl3aKNEbP +hHuNexl6KeCocHr3Jd8cmUm/DKvS6s9mcFHuU/S54C277WnGlc3ZY3fjNGeQCPr 2O3Ji7vW0AewYhIvDGwS4VZG7LsZTPyXwuP2M4v9GJ7XyXw4c81+2dEAUQRgHdax s8hVHobH+jlvYDz0uUVMcE6LhUoq3hPXtUWM0l7wAafpJuBQ7aZqVQ== =4zi4 -----END PGP SIGNATURE-----
You could be right here. I've re-created the certificate in the domain that xs2mail sees but it still gives me the same error. So there must be something about the cert that it doesn't like. Perhaps it does need my public key. It's just a free web service, though - there's no way to do that. Don't know why it worked on the old one, either!
Regards, Phill
I tried:
server intern { listen = 192.168.0.2 ssl_cert_file = /etc/pki/dovecot/dovecot.pem }
server extern { listen = 1.2.3.4 ssl_cert_file = /etc/pki/dovecot/dovecot-extern.pem }
I get Error: Error in configuration file /etc/dovecot.conf line 19: Expecting '=' (the line with server). I also tried group instead of server.
Is the feature removed from 1.0 series?
What's wrong? I use 1.0rc10.
Thank you for the answer.
Ciao, Gerhard
On Mon, 30 Oct 2006, Steffen Kaiser wrote:
participants (3)
-
Gerhard Wiesinger
-
Phill Edwards
-
Steffen Kaiser