[Dovecot] SSL / TLS

[Timo Sirainen]

On Jul 12, 2009, at 2:21 PM, Ed W wrote:

> I meant that you could have one server (one IP) and when a customer  
> connects they can connect to mail.theirdomain.com (CNAME or A to  
> mail.ourserver.com) and not see warnings about the SSL cert not  
> matching the address they are connecting to (ie the generic problem)
>
> Right now it requires a cert containing every possible destination  
> server name on the single cert.  This works, but it's hard to buy  
> such certs.  TLS (in general) offers the *possibility* to figure out  
> what domain the customer is trying to connect to and present the  
> correct cert up front.
>
> Sadly it still seems to break for email because you need the  
> customer to AUTH before upgrading to SSL and this isn't usually what  
> they do...
>
> By an extension I assume you mean there is actually some standard  
> proposed to solve that bit of the puzzle, I wasn't even aware that  
> was on the cards?

There's draft-hazewinkel-imap-vhost-00 from 6 years ago.

> As an aside, I see several other software projects now enabling the  
> compression option when establishing an SSL connection - any chance  
> you could look at enabling the relevant lines of code in Dovecot?   
> We had this conversation some months/years back and it appeared  
> simple on the dovecot side, but there is of course only still  
> minimal client support (but at least we can break the chicken-egg  
> situation)

I remember it was a few weeks ago :)