[Dovecot] TLS / SSL mixed w/ plaintext auth and virtual hosting

Nathan M locu.lists at gmail.com
Thu Aug 27 04:27:12 EEST 2009 

Traditionally this server has only accepted plaintext authentications;
however, we want to change that and enable TLS/SSL.  The challenge is
the server has hundreds of IP addresses it binds to to listen on ports
110/143.

Enabling TLS/SSL is not an option because as this is a virtual hosting
environment, if a connection comes in on any other hostname other than
the specific one tied to the crt all mail clients will throw a
mis-matched certificate error if TLS is initiated by the client, and a
surprisingly large number of customers have "use TLS if available"
selected in their clients.

According to most of the suggestions on the list, I've setup 2 dovecot
instances. The first listening on *:110 and *:143, and the second
listening on 10.0.0.2:993 and 10.0.0.2:995.  This works great for SSL
support; however, I would also like to offer TLS to connections coming
in on a single IP address.

Because the server has hundreds of IPs, with new IPs adding all the
time, seemingly the only way would be to configure every one of these
IPs (as they occur) into the primary dovecot.conf file, and then only
setup the single IP that's handling SSL/TLS in the dovecot-ssl.conf
(the conf file the SSL/TLS instance loads).  This can be time
consuming and has no way to automate.  It would be terrific if one of
the following exists, or potentially could exist:

1. Ideal scenario.  A config option which tells TLS to only respond on
certain IPs.  In our case if a connection attempts to initiate TLS on
any IP address except 10.0.0.2, it would respond with no TLS support.
This would be ideal as we could continue running just a single dovecot
instance.

2. Secondary scenario.  A way to exclude an IP from being bound to.
Something like the following to bind to all except 10.0.0.2
      listen = *:110, -10.0.0.2

As is, based on my understanding of the config neither of these are
options.  Any support for adding either of these options, or alternate
ideas anyone might have?

- N

More information about the dovecot mailing list