[Dovecot] virtual domains and SSL certificates
Hi all,
I have dovecot 1.1.0 setup to access vpopmail accounts for several virtual domains. Dovecot IMAP is accessed through several virtual domains as well, ie mail.foo.com an d mail.bar.com The problem is that the configuration file specifies only one certificate file for dovecot, which means only one Common Name, which means one cannot provide one server cert that will match mail.foo.com AND mail.bar.com, and either mary@foo.com or bob@bar.com will get a "Security Error: Domain Name Mismatch" in their mail client when connecting through IMAPS.
How can I avoid this domain name mismatch error?
Regards, Kacper Wysocki
Kacper Wysocki escreveu:
Hi all,
I have dovecot 1.1.0 setup to access vpopmail accounts for several virtual domains. Dovecot IMAP is accessed through several virtual domains as well, ie mail.foo.com an d mail.bar.com The problem is that the configuration file specifies only one certificate file for dovecot, which means only one Common Name, which means one cannot provide one server cert that will match mail.foo.com AND mail.bar.com, and either mary@foo.com or bob@bar.com will get a "Security Error: Domain Name Mismatch" in their mail client when connecting through IMAPS.
How can I avoid this domain name mismatch error?
a) Use a single host name for all domains.
b) If you really want different hostnames for all domains, you'll need one IP address for each domain. Dovecot can at this moment listen on several addresses, but it only uses one SSL certificate for all of them, which means you would need several dovecot instantes running.
Which leads us to the request: could it be that in a future version one could select a different certificate for each IP that Dovecot listens to?
On 8/7/2008, Eduardo M KALINOWSKI (eduardo@kalinowski.com.br) wrote:
Which leads us to the request: could it be that in a future version one could select a different certificate for each IP that Dovecot listens to?
If I am not mistaken, this is already on the radar for 2.0...
--
Best regards,
Charles
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2008-08-07, at 1206, Eduardo M KALINOWSKI wrote:
Which leads us to the request: could it be that in a future version
one could select a different certificate for each IP that Dovecot
listens to?
i have a client who is doing this now- they own two domain names, and
they insisted that the users of each domain not have to ever enter the
"other" domain name at all, even for something like an IMAP or SMTP
server name... so they have two IPs on the server, and each domain has
its own IP address. among other things, they're running dovecot under
daemontools, using sslserver to answer the socket and handle the SSL
negotiations, and they have a different certificate for each service.
http://qmail.jms1.net/dovecot.shtml is a page i wrote about running
dovecot under daemontools.
http://qmail.jms1.net/scripts/service-dovecot-xxx-run is the
daemontools "run" script for a dovecot IMAP or POP3 service. it needs
to be customized with the details for your service(s); i tried to put
enough comments within the script that you shouldn't have any problem
understanding how it works and what goes where.
| John M. Simpson -- KG4ZOW -- Programmer At Large | | http://www.jms1.net/ jms1@jms1.net |
| Hope for America -- http://www.ronpaul2008.com/ |
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iD8DBQFImybYj42MmpAUrRoRAgnlAKCJqF3zHtMB+cqGNifNwGOYY1VSKACfUDOz uTdCQkNnbNvsVKKqoJ8l3aQ= =JjOY -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2008-08-07, at 1143, Kacper Wysocki wrote:
The problem is that the configuration file specifies only one certificate file for dovecot, which means only one Common Name, which means one cannot provide one server cert that will match mail.foo.com AND mail.bar.com, and either mary@foo.com or bob@bar.com will get a "Security Error: Domain Name Mismatch" in their mail client when connecting through IMAPS.
How can I avoid this domain name mismatch error?
if you're using normal SSL (usually on port 993) each IP:PORT
combination on the server can only have one SSL certificate. this is
because the SSL negotiations happen before the internal protocol (in
this case, IMAP) ever starts. the SSL protocol does not provide any
way for the client to tell the server which hostname they're trying to
connect to- the only thing the server knows is what IP and port the
client connected to.
if you're using STARTTLS, the connection starts as normal, but instead
of sending login credentials, the client sends a "STARTTLS" command of
some kind, the server says OK, and then starts SSL negotiations within
the existing socket. in that kind of scenario it's theoretically
possible for the client to tell the server which hostname it wants (so
the server can select the appropriate certificate) however i don't
think the IMAP protocol has that capability.
this is the same kind of issue people run into with other SSL-
encrypted services, such as SMTP-SSL or HTTPS. the problem is that
when the SSL protocol was designed, they didn't think about a server
having a need for multiple certificates, and there are too many
existing SSL implementations in use right now to think realistically
about changing the protocol at such a basic level.
it might be possible to construct a special certificate with multiple
CN= fields, or with multiple "alternate name" fields (i forget the X.
509 key for this field) however these are non-standard, and there's no
guarantee that all clients will honour, or even understand, such
certificates.
what i do on my own server is just tell all of my clients that they
must use the name "secure.jms1.net" as their IMAP-SSL and SMTP-SSL
server names. it doesn't affect the appearance of their outgoing mail
at all (other than the "Received" headers, which would happen anyway.)
| John M. Simpson -- KG4ZOW -- Programmer At Large | | http://www.jms1.net/ jms1@jms1.net |
| Hope for America -- http://www.ronpaul2008.com/ |
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin)
iD8DBQFImyNej42MmpAUrRoRAnAuAJ0VnIwa6jpkwODwlfcGJL6dK/c9AQCdF9lq bQSR7ebRO4WBkV8HSpgMeC0= =Gue5 -----END PGP SIGNATURE-----
participants (4)
-
Charles Marcus
-
Eduardo M KALINOWSKI
-
John Simpson
-
Kacper Wysocki