[Dovecot] Multiple SSL certificates with dovecot.

[Steffen Kaiser]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 10 Jun 2008, Andre Rodier wrote:

> - I use only IMAPS to retrieve the mails.
> - I manage two domain names
> - I use CA-Cert certificates
>
> So,the question is : how to setup dovecot to select the appropriate
> certificate, according to the domain name I use when I retrieve mails
> using the IMAPS protocol ?

Well, it is NOT possible, unless you use two different ways to connect to 
the IMAP server - which basically means you need two IP addresses or two 
port numbers.

Unfortunately, IMAP (and most other protocols out there) do not have the 
capability of Virtual Hosting as HTTP (with the Host attribute).

That means:

variant 1) IMAP over SSL
the client resolves the symbolic IMAP server name via DNS, then connects 
to a port on the numerical IP, then SSL handshake takes place: There is no 
way for the server, with cert to use, because there is no "domain name" 
transferred to it. Then the user authentificates.

variant 2) IMAP with STARTTLS
the client resolves the symbolic IMAP server name via DNS, then connects
to a port on the numerical IP, Dovecot returns the greeting, the client
issues STARTTLS, then SSL handshake takes place: There is no way for the
server, with cert to use, because there is no "domain name" transferred
to it. Then the user authentificates.

At least in variant 2) the IMAP standard could implement a way to pass the 
original host, but it isn't. So the server must pick a certificate for its 
own.

Therefore, you cannot host virtual IMAPS servers, but need physically 
separated ones.

Bye,

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFITnZXVJMDrex4hCIRAu16AKCTGca3JT526uTurcvOyZRmOMjajQCfY/7n
Q7G5vzzM9JWQ1ULGGXocK2Y=
=SgDM
-----END PGP SIGNATURE-----