[Dovecot] Multiple SSL certificates with dovecot.
Steffen Kaiser
skdovecot at smail.inf.fh-bonn-rhein-sieg.de
Tue Jun 10 15:40:53 EEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 10 Jun 2008, Andre Rodier wrote:
> - I use only IMAPS to retrieve the mails.
> - I manage two domain names
> - I use CA-Cert certificates
>
> So,the question is : how to setup dovecot to select the appropriate
> certificate, according to the domain name I use when I retrieve mails
> using the IMAPS protocol ?
Well, it is NOT possible, unless you use two different ways to connect to
the IMAP server - which basically means you need two IP addresses or two
port numbers.
Unfortunately, IMAP (and most other protocols out there) do not have the
capability of Virtual Hosting as HTTP (with the Host attribute).
That means:
variant 1) IMAP over SSL
the client resolves the symbolic IMAP server name via DNS, then connects
to a port on the numerical IP, then SSL handshake takes place: There is no
way for the server, with cert to use, because there is no "domain name"
transferred to it. Then the user authentificates.
variant 2) IMAP with STARTTLS
the client resolves the symbolic IMAP server name via DNS, then connects
to a port on the numerical IP, Dovecot returns the greeting, the client
issues STARTTLS, then SSL handshake takes place: There is no way for the
server, with cert to use, because there is no "domain name" transferred
to it. Then the user authentificates.
At least in variant 2) the IMAP standard could implement a way to pass the
original host, but it isn't. So the server must pick a certificate for its
own.
Therefore, you cannot host virtual IMAPS servers, but need physically
separated ones.
Bye,
- --
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFITnZXVJMDrex4hCIRAu16AKCTGca3JT526uTurcvOyZRmOMjajQCfY/7n
Q7G5vzzM9JWQ1ULGGXocK2Y=
=SgDM
-----END PGP SIGNATURE-----
More information about the dovecot
mailing list