[Dovecot] virtual domains and SSL certificates

Thu Aug 7 19:31:25 EEST 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-08-07, at 1143, Kacper Wysocki wrote:
>
> The problem is that the configuration file specifies only one
> certificate file for dovecot, which means only one Common Name, which
> means one cannot provide one server cert that will match mail.foo.com
> AND mail.bar.com, and either mary at foo.com or bob at bar.com will get a
> "Security Error: Domain Name Mismatch" in their mail client when
> connecting through IMAPS.
>
> How can I avoid this domain name mismatch error?

if you're using normal SSL (usually on port 993) each IP:PORT  
combination on the server can only have one SSL certificate. this is  
because the SSL negotiations happen before the internal protocol (in  
this case, IMAP) ever starts. the SSL protocol does not provide any  
way for the client to tell the server which hostname they're trying to  
connect to- the only thing the server knows is what IP and port the  
client connected to.

if you're using STARTTLS, the connection starts as normal, but instead  
of sending login credentials, the client sends a "STARTTLS" command of  
some kind, the server says OK, and then starts SSL negotiations within  
the existing socket. in that kind of scenario it's theoretically  
possible for the client to tell the server which hostname it wants (so  
the server can select the appropriate certificate) however i don't  
think the IMAP protocol has that capability.

this is the same kind of issue people run into with other SSL- 
encrypted services, such as SMTP-SSL or HTTPS. the problem is that  
when the SSL protocol was designed, they didn't think about a server  
having a need for multiple certificates, and there are too many  
existing SSL implementations in use right now to think realistically  
about changing the protocol at such a basic level.

it might be possible to construct a special certificate with multiple  
CN= fields, or with multiple "alternate name" fields (i forget the X. 
509 key for this field) however these are non-standard, and there's no  
guarantee that all clients will honour, or even understand, such  
certificates.

what i do on my own server is just tell all of my clients that they  
must use the name "secure.jms1.net" as their IMAP-SSL and SMTP-SSL  
server names. it doesn't affect the appearance of their outgoing mail  
at all (other than the "Received" headers, which would happen anyway.)

- --------------------------------------------------------
| John M. Simpson  --  KG4ZOW  --  Programmer At Large |
| http://www.jms1.net/                 <jms1 at jms1.net> |
- --------------------------------------------------------
|   Hope for America  --  http://www.ronpaul2008.com/  |
- --------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFImyNej42MmpAUrRoRAnAuAJ0VnIwa6jpkwODwlfcGJL6dK/c9AQCdF9lq
bQSR7ebRO4WBkV8HSpgMeC0=
=Gue5
-----END PGP SIGNATURE-----