[Dovecot] Two server certificates for two common names

[Δημήτριος Καραπιπέρης]

Basically, server is not expecting any kind of domain on ssl handshake, 
but what if the server can serve more than one cert, so that clients
using  mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot 
instance but from different network segments
could be certified.

mail1.dom.gr -> 10.65.0.45  (private one)
mail2.dom.gr -> 84.205.252.78
(random numbers)

In essence, it is the same dovecot instance.

Dimitrios

O/H Ed W έγραψε:
> Δημήτριος Καραπιπέρης wrote:
>> So ,
>> on one dovecot instance, it is impossible to have two ssl 
>> certificates for two distinct common names.
>> right?
>>
>
> You are kind of asking two questions here:
>
> 1) SSL as it stands maps one IP address to one certificate.  The basic 
> issue is that, bar a few exceptions, there is no clear way to connect 
> to an IP address and say what "domain" you are expecting to see on the 
> other end, hence allowing the other end to present the domain specific 
> cert.  This is currently not fixable, but you can work around it by 
> getting one cert with all your CNs on it (see Subject Alt Name)
>
> 2) Does Dovecot support running on 2 ips with different certs on each 
> IP?  I think the answer is currently no?  You could run two dovecot 
> instances though...  I believe this is on the todo list for a later 
> version, but as yet not that high up the priority list? (Timo?)  So 
> this bit is fixable in various ways
>
> Does that help?
>
> Ed W
>