[Dovecot] SSL Compatibility? SNI vs SAN (Subject Alternative Names) and multiple domains
Thomas Harold
thomas-lists at nybeta.com
Wed Mar 16 21:44:31 EET 2011
Getting ready to redo our mail server setup and I'm trying to wrap my
head around the ins and outs and pratfalls involved in SSL, multiple
domains, and Dovecot. I've taken a look at:
http://wiki2.dovecot.org/SSL/DovecotConfiguration
My basic understanding at this point is that:
- With SSL for IMAP/POP3, it is limited to one certificate per IP
address, because the SSL process starts as soon as the client opens the
socket to the IP address. In order to support multiple domains / server
names, you have to rely on SAN (Subject Alternative Names) in the
server's SSL certificate.
- If I use STARTTLS for IMAP/POP3 and Dovecot 2.x, then the SNI process
will allow the client to specify that they want to talk to mail server
XYZ and Dovecot will hand the correct certificate to the client.
However, a lot of devices don't support SNI yet so this is fraught with
peril and incompatibilities.
So it seems like if I have fewer IP addresses then mail server names, I
should stick with a single SSL cert and use SANs. (Wildcard certs are
not an option due to the top level domain being different.)
How big of an issue is a cert with half a dozen or a dozen SANs
attached? Do most mail clients handle that sort of certificate properly
in order to access their mailboxes?
Reference links:
http://www.digicert.com/subject-alternative-name-compatibility.htm
More information about the dovecot
mailing list