[Dovecot] multiple ip and ssl
Hello,
is possible in some way use on each ip address different certificate (for imap, for pop3). There are options like (but that is not enough for me):
protocol imap { listen = *:10143 ssl_listen = *:10943 .. } protocol pop3 { listen = *:10100 .. }
I have server for 4 domains (each has own ip address), so i need bind one ip address to one domain to one certificate(each certificate contains name of domain):
domain1.tld (x.x.x.100) -> certificate domain1.tld.pem domain2.tld (x.x.x.101) -> certificate domain2.tld.pem domain3.tld (x.x.x.102) -> certificate domain3.tld.pem domain4.tld (x.x.x.103) -> certificate domain4.tld.pem
Or i must run different instances of dovecot ? (using other config) ?
Thank you for advices.
Lampa
Hello,
so it's possible to do it in other way ?
Starting dovecot with different config (bind different ip adress and different certificates) ? Is possible with -c option. If is possible what must change in config (will be base_dir enough, or will be problem that other directives stay same for all hosts - executables, options for logging, ...) ?
Thank you.
2008/2/26, Timo Sirainen tss@iki.fi:
On Tue, 2008-02-26 at 19:51 +0100, Lampa wrote:
is possible in some way use on each ip address different certificate
Unfortunately not. Probably will have to wait until v2.0.
-- Lampa
On Tue, 2008-02-26 at 22:41 +0100, Lampa wrote:
Hello,
so it's possible to do it in other way ?
Starting dovecot with different config (bind different ip adress and different certificates) ? Is possible with -c option.
Sure, that'll work.
If is possible what must change in config (will be base_dir enough, or will be problem that other directives stay same for all hosts - executables, options for logging, ...) ?
Changing base_dir should be enough for most cases. See "Running Multiple Invocations of Dovecot" in http://wiki.dovecot.org/RunningDovecot
Words by Lampa [Tue, Feb 26, 2008 at 10:41:00PM +0100]:
Hello,
so it's possible to do it in other way ?
Starting dovecot with different config (bind different ip adress and different certificates) ? Is possible with -c option. If is possible what must change in config (will be base_dir enough, or will be problem that other directives stay same for all hosts - executables, options for logging, ...) ?
It is possible to get a certificate with a "Subject Alternative Names" containing the various hostnames pointing to the same machine.
We're waiting for a test one to check interopatibility with the various clients.
More on the subject:
http://www.google.com/search?client=opera&rls=en&q=subjectaltname&sourceid=opera&ie=utf-8&oe=utf-8
-- Jose Celestino
http://www.msversus.org/ ; http://techp.org/petition/show/1 http://www.vinc17.org/noswpat.en.html
"If you would have your slaves remain docile, teach them hymns." -- Ed Weathers ("The Empty Box")
Hello,
can you post test results please after testing? When should be tests done ?
I think that some clients (like pda maybe outlook) will fail, but i don't start flame, will wait for results.
Thank you.
2008/2/27, Jose Celestino japc@co.sapo.pt:
Words by Lampa [Tue, Feb 26, 2008 at 10:41:00PM +0100]:
Hello,
so it's possible to do it in other way ?
Starting dovecot with different config (bind different ip adress and different certificates) ? Is possible with -c option. If is possible what must change in config (will be base_dir enough, or will be problem that other directives stay same for all hosts - executables, options for logging, ...) ?
It is possible to get a certificate with a "Subject Alternative Names" containing the various hostnames pointing to the same machine.
We're waiting for a test one to check interopatibility with the various clients.
More on the subject:
http://www.google.com/search?client=opera&rls=en&q=subjectaltname&sourceid=opera&ie=utf-8&oe=utf-8
-- Jose Celestino
http://www.msversus.org/ ; http://techp.org/petition/show/1 http://www.vinc17.org/noswpat.en.html
"If you would have your slaves remain docile, teach them hymns." -- Ed Weathers ("The Empty Box")
-- Lampa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 26 Feb 2008, Jose Celestino wrote:
It is possible to get a certificate with a "Subject Alternative Names" containing the various hostnames pointing to the same machine.
I have very poor experience with such certificates in both https and imaps.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxRNXVJMDrex4hCIRAu4gAKDOxj3erDVcjJNfAxOsvZoxmH8YfgCg2Qk9 e7Lpg+CSihGqHIi03ZU2m/I= =rfxy -----END PGP SIGNATURE-----
Hello,
i just tested imaps with 5 altnames in ms outlook and works ok (problem was unknown CA). Kmail seems working too. But need more testing. There will be some "old" clients which will not support this feature.
I found http://wiki.cacert.org/wiki/VhostTaskForce where is lot explained.
2008/2/27, Steffen Kaiser skdovecot@smail.inf.fh-bonn-rhein-sieg.de:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 26 Feb 2008, Jose Celestino wrote:
It is possible to get a certificate with a "Subject Alternative Names" containing the various hostnames pointing to the same machine.
I have very poor experience with such certificates in both https and imaps.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHxRNXVJMDrex4hCIRAu4gAKDOxj3erDVcjJNfAxOsvZoxmH8YfgCg2Qk9 e7Lpg+CSihGqHIi03ZU2m/I= =rfxy -----END PGP SIGNATURE-----
-- Lampa
participants (4)
-
Jose Celestino
-
Lampa
-
Steffen Kaiser
-
Timo Sirainen