[Dovecot] Two server certificates for two common names
Hi there!
I have two DNS records mail1.domain.tld mail2.domain.tld
I have issued SSL server Certificates for both my domain names. Is it possible to tell dovecot to use both , depending on client access; clients using the mail1.domain.tld be served by the mail1.domain.tld .key and .cert and those using mail2.domain.tld be served by the mail2.domain.tld .key and .cert
Thanks in advance Dimitrios
That is an ssl imposibility, and the current tls clients can't really
do that either. The best way to do it is to use seperate ip's for
mail1 and mail2.
The only other option is to use a new certificate with
subject-alt-names, but lots of email clients don't support that.
Webbrowsers have for a long time now, but email is completely different.
Quoting ????????? ??????????? <dimkar@thessaloniki.gr>:
Hi there!
I have two DNS records mail1.domain.tld mail2.domain.tld
I have issued SSL server Certificates for both my domain names. Is it possible to tell dovecot to use both , depending on client access; clients using the mail1.domain.tld be served by the mail1.domain.tld .key and .cert and those using mail2.domain.tld be served by the mail2.domain.tld .key and .cert
Thanks in advance Dimitrios
Patrick Domack wrote:
That is an ssl imposibility, and the current tls clients can't really do that either. The best way to do it is to use seperate ip's for mail1 and mail2.
The only other option is to use a new certificate with subject-alt-names, but lots of email clients don't support that. Webbrowsers have for a long time now, but email is completely different.
I would be interested to hear which mail clients don't support this?
My experience is that the main culprits are ok (including apple and many handhelds).
I use a cheapo S-A-N from GoDaddy and it seems to work ok (but I hardly have a wide range of clients using it)
Hope this helps?
Ed W
So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right?
thanks Dimitrios
O/H Ed W έγραψε:
Patrick Domack wrote:
That is an ssl imposibility, and the current tls clients can't really do that either. The best way to do it is to use seperate ip's for mail1 and mail2.
The only other option is to use a new certificate with subject-alt-names, but lots of email clients don't support that. Webbrowsers have for a long time now, but email is completely different.
I would be interested to hear which mail clients don't support this?
My experience is that the main culprits are ok (including apple and many handhelds).
I use a cheapo S-A-N from GoDaddy and it seems to work ok (but I hardly have a wide range of clients using it)
Hope this helps?
Ed W
-- ΔΗΜΗΤΡΙΟΣ ΚΑΡΑΠΙΠΕΡΗΣ ΤΕΧΝ. ΥΠ. ΣΥΖΕΥΞΙΣ
ΕΛΛΗΝΙΚΗ ΔΗΜΟΚΡΑΤΙΑ - Ν. ΘΕΣΣΑΛΟΝΙΚΗΣ ΔΗΜΟΣ ΘΕΣΣΑΛΟΝΙΚΗΣ - Δ/ΝΣΗ ΟΡΓΑΝΩΣΕΩΣ & ΜΕΘΟΔΩΝ 2310 - 257844 fax 2310 - 244965
On Qua, 26 Ago 2009, Δημήτριος Καραπιπέρης wrote:
So , on one dovecot instance, it is impossible to have two ssl
certificates for two distinct common names. right?
At the moment, yes. In a future version this will be possible, but I
suppose you will still need two IPs.
-- Eduardo M KALINOWSKI eduardo@kalinowski.com.br
Δημήτριος Καραπιπέρης wrote:
So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right?
You are kind of asking two questions here:
SSL as it stands maps one IP address to one certificate. The basic issue is that, bar a few exceptions, there is no clear way to connect to an IP address and say what "domain" you are expecting to see on the other end, hence allowing the other end to present the domain specific cert. This is currently not fixable, but you can work around it by getting one cert with all your CNs on it (see Subject Alt Name)
Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways
Does that help?
Ed W
Basically, server is not expecting any kind of domain on ssl handshake, but what if the server can serve more than one cert, so that clients using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot instance but from different network segments could be certified.
mail1.dom.gr -> 10.65.0.45 (private one) mail2.dom.gr -> 84.205.252.78 (random numbers)
In essence, it is the same dovecot instance.
Dimitrios
O/H Ed W έγραψε:
Δημήτριος Καραπιπέρης wrote:
So , on one dovecot instance, it is impossible to have two ssl certificates for two distinct common names. right?
You are kind of asking two questions here:
SSL as it stands maps one IP address to one certificate. The basic issue is that, bar a few exceptions, there is no clear way to connect to an IP address and say what "domain" you are expecting to see on the other end, hence allowing the other end to present the domain specific cert. This is currently not fixable, but you can work around it by getting one cert with all your CNs on it (see Subject Alt Name)
Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways
Does that help?
Ed W
Δημήτριος Καραπιπέρης wrote:
Basically, server is not expecting any kind of domain on ssl handshake, but what if the server can serve more than one cert, so that clients using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot instance but from different network segments could be certified.
mail1.dom.gr -> 10.65.0.45 (private one) mail2.dom.gr -> 84.205.252.78 (random numbers)
In essence, it is the same dovecot instance.
I should imagine that you can achieve this using an external SSL wrapper such as stunnel?
OR
You could use firewall rules to redirect incoming connections to
different local ports depending on where the connection originates.
Then setup appropriate config on each port to serve a different cert
This setup does sound workable
Ed W
On Aug 26, 2009, at 2:17 PM, Ed W wrote:
- Does Dovecot support running on 2 ips with different certs on
each IP? I think the answer is currently no? You could run two
dovecot instances though... I believe this is on the todo list for
a later version, but as yet not that high up the priority list?
(Timo?) So this bit is fixable in various ways
Dovecot v2.0 supports different certs for different IPs. Until then
you'll need to run multiple Dovecot instances with different config
files.
Hi Timo what do u exactly mean "dirrefentIPs"? Requests coming to differentIPs? or Certs bound to two different server IPs?
It is really important for my installation.
thanks in advance Dimitrios
O/H Timo Sirainen έγραψε:
On Aug 26, 2009, at 2:17 PM, Ed W wrote:
- Does Dovecot support running on 2 ips with different certs on each IP? I think the answer is currently no? You could run two dovecot instances though... I believe this is on the todo list for a later version, but as yet not that high up the priority list? (Timo?) So this bit is fixable in various ways
Dovecot v2.0 supports different certs for different IPs. Until then you'll need to run multiple Dovecot instances with different config files.
-- ΔΗΜΗΤΡΙΟΣ ΚΑΡΑΠΙΠΕΡΗΣ ΤΕΧΝ. ΥΠ. ΣΥΖΕΥΞΙΣ
ΕΛΛΗΝΙΚΗ ΔΗΜΟΚΡΑΤΙΑ - Ν. ΘΕΣΣΑΛΟΝΙΚΗΣ ΔΗΜΟΣ ΘΕΣΣΑΛΟΝΙΚΗΣ - Δ/ΝΣΗ ΟΡΓΑΝΩΣΕΩΣ & ΜΕΘΟΔΩΝ 2310 - 257844 fax 2310 - 244965
Am 27.08.2009, 10:28 Uhr, schrieb Δημήτριος Καραπιπέρης
<dimkar@thessaloniki.gr>:
Hi Timo what do u exactly mean "dirrefentIPs"? Requests coming to differentIPs? or Certs bound to two different server IPs?
That would be run two instances, each on a different Listen Address.
-- Matthias Andree
participants (7)
-
Ed W
-
Eduardo M KALINOWSKI
-
Matthias Andree
-
Patrick Domack
-
Timo Sirainen
-
Δημήτριος Καραπιπέ ρης
-
Δημήτριος Καραπιπέρης