[Dovecot] Proxying, pertinent values and features, SNI

Christian Balzer chibi at gol.com
Thu Apr 4 05:56:09 EEST 2013


On Wed, 03 Apr 2013 11:13:41 +0100 Ed W wrote:

> Hi
> 
> > I presume to best support all(?) clients out there is to have
> > "local_name" sections for SNI first and then "local" sections for IP
> > address based certs. It is my understanding that SNI needs to be
> > requested by the client, so aside from client bugs (nah, those don't
> > exist ^o^) every client should get an appropriate response for TLS.
> > Has anybody done a setup like that already?
> >
> 
> Although not what you asked for, just so you are aware, Godaddy (boo 
> hiss, etc) offer reasonably inexpensive multi subject alt name based 
> certs.  This means you can have a single cert which is valid for lots of 
> completely different domain names.  The mild benefit is that this 
> doesn't require SNI support for SSL (which I'm unsure is supported by 
> many mail clients?)
> 
Yeah, I'm aware of multi-domain (SAN) certs, however there are 2 gotchas
with those that our support and the OEMs this is for might not approve of:

1. Only the primary host will actually be validated/authenticated, which
at least with some browsers will result in this being pointed out to the
user when they connect to a SAN. Not sure about mail clients, but webmail
is also in that overall deal, so support is probably not going to like the
potential "concerned you got hacked" phone calls from customers.

2. Despite the fact that it will be trivial for anybody to determine that
OEM A is now hosted with us, a SAN SSL makes all the SANs visible in one
go, something they probably don't want.

We're talking a small (10ish) number of OEMs here, so I'm happy and
willing to throw some IP addresses at this particular problem and have
everybody use (and deal with!) their own certs.

As for SNI, supposedly most PC clients will support it, while most mobile
ones don't. In my scenario it doesn't matter either way, the idea is to
hand the correct cert to a client that requests it via SNI and for all the
others based on the IP address they connected to.

If everybody can be taught to use only TLS (not IMAPS/POP3S) and all the
clients do support SNI, we can do away with the dedicated IP addresses.
Might even happen before the heat death of the universe. ^o^

Regards, 

Christian
-- 
Christian Balzer        Network/Systems Engineer                
chibi at gol.com   	Global OnLine Japan/Fusion Communications
http://www.gol.com/


More information about the dovecot mailing list