[Dovecot] Dovecot SSL limitations
AllenJB
dovecot at allenjb.me.uk
Mon Nov 30 23:32:24 EET 2009
Thomas Hummel wrote:
> Hello Timo,
>
> I'd like to check if my understanding of dovecot-1.2.x's SSL certificate
> handling is correct :
>
> SSL does not provide the server any mechanism to choose which certificate
> it must send relatively to the name the client is using. Thus, if you want to
> use different certificates, you have to listen to different addresses. This is
> an SSL limitation, not a dovecot nor IMAP limitation.
>
> This is the reason why it's possible to use different certificates for IMAP
> and POP3. But it seems to work only with those two :
>
> As a matter of fact, even if you listen to different addresses, how would
> you tell dovecot to send this certificate for this address and that certificate
> for that address, since there is no IP dependent section (as in apache IP-based
> virtual host for instance) ? It seems the only way would be to have more than
> one instance of dovecot (several dovecot with different config files).
>
> The problem is that some clients may be configured with mail.my.domain, some
> others with imap.my.domain, ...etc... Hence the need to have different
> certificates with those different names as cn.
>
Possibly off-topic from what the OP wants, but couldn't TLS Server Name
Indication (SNI) be used to overcome the single server certificate
limitation?
AllenJB
More information about the dovecot
mailing list