[Dovecot] Multiple SSL certificates with dovecot.
Hello all,
By advance, I hope you'll excuse my probably not perfect English, which is not my mother tongue.
I have always appreciated dovecot for this simplicity to setup and lightweight, but today, after many installations, I cannot find how to setup dovecot for my configuration.
- I use only IMAPS to retrieve the mails.
- I manage two domain names
- I use CA-Cert certificates
So,the question is : how to setup dovecot to select the appropriate certificate, according to the domain name I use when I retrieve mails using the IMAPS protocol ?
Thanks. Andre Rodier.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 10 Jun 2008, Andre Rodier wrote:
- I use only IMAPS to retrieve the mails.
- I manage two domain names
- I use CA-Cert certificates
So,the question is : how to setup dovecot to select the appropriate certificate, according to the domain name I use when I retrieve mails using the IMAPS protocol ?
Well, it is NOT possible, unless you use two different ways to connect to the IMAP server - which basically means you need two IP addresses or two port numbers.
Unfortunately, IMAP (and most other protocols out there) do not have the capability of Virtual Hosting as HTTP (with the Host attribute).
That means:
variant 1) IMAP over SSL the client resolves the symbolic IMAP server name via DNS, then connects to a port on the numerical IP, then SSL handshake takes place: There is no way for the server, with cert to use, because there is no "domain name" transferred to it. Then the user authentificates.
variant 2) IMAP with STARTTLS the client resolves the symbolic IMAP server name via DNS, then connects to a port on the numerical IP, Dovecot returns the greeting, the client issues STARTTLS, then SSL handshake takes place: There is no way for the server, with cert to use, because there is no "domain name" transferred to it. Then the user authentificates.
At least in variant 2) the IMAP standard could implement a way to pass the original host, but it isn't. So the server must pick a certificate for its own.
Therefore, you cannot host virtual IMAPS servers, but need physically separated ones.
Bye,
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFITnZXVJMDrex4hCIRAu16AKCTGca3JT526uTurcvOyZRmOMjajQCfY/7n Q7G5vzzM9JWQ1ULGGXocK2Y= =SgDM -----END PGP SIGNATURE-----
On Tue, 10 Jun 2008 08:01:38 pm Andre Rodier wrote:
Hello all,
By advance, I hope you'll excuse my probably not perfect English, which is not my mother tongue.
its pretty good.
I have always appreciated dovecot for this simplicity to setup and lightweight, but today, after many installations, I cannot find how to setup dovecot for my configuration.
- I use only IMAPS to retrieve the mails.
- I manage two domain names
- I use CA-Cert certificates
So,the question is : how to setup dovecot to select the appropriate certificate, according to the domain name I use when I retrieve mails using the IMAPS protocol ?
It cannot. To do so would require "Server Name Indication" rfc3546 to be implemented. It also would require email clients to support it. https://wiki.cacert.org/wiki/VhostTaskForce
An alternate is to get both names in the one certificate. https://wiki.cacert.org/wiki/CSRGenerator
--
Daniel Black
Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097 GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097
Hello all,
Thanks a lot for your answers, I was not sure it was possible, anyway,
Thanks Steffen, to have take the time to detail to me the IMAP protocol, and Daniel for your advices about CSR and vhost task force, I'll try them later.
André Rodier.
participants (3)
-
Andre Rodier
-
Daniel Black
-
Steffen Kaiser