[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's

Jeroen Massar jeroen at massar.ch
Mon Sep 16 14:52:01 EEST 2013

On 2013-09-16 13:36, Reindl Harald wrote:
> Am 16.09.2013 13:33, schrieb Shadi Habbal:
>> After some digging, Subject Alternative Names (SANs) is the way to have one certificate which holds many domain names in the SubjectAltNames field
>> Here is a script to generate a CSR that holds different SANs: http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
> that's nice but not practically useable
> you hardly can add a SAN everytime you get a new domain

It works perfectly for small time setups. Indeed, not scalable after a
few hundreds domains, but for private/small setups it works quite fine.

> the main question remains:
> * why is anybody doing this?

Because IPv4 addresses are running out (or harder/pricy to get) and not
all clients on IPv4 yet and thus you will have to have multiple certs on
a single IP instead of an IP each per cert.

Yep, with IPv6 you can easily go back to the old model... but unless one
does per-IP acl/ratelimits/filtering/etc why bother?

> * "the user wants "mail.hisdomain.tld" is *not* a valid reason and should
>   lead to explain the user the stupidity of doing so for no benefit

I don't see anything "stupid" about this. It is so much easier to
explain to a user "your email is xxx at example.com, your mail client does
the rest" than "oh, you need to use this mail server and that here and
that there".

Thunderbird (and likely other clients) autoconfigure by guessing
{mail|smtp|imap}.<domain> and thus a proper cert is nice to have there
instead of "warning untrusted mail.example.net!" everytime.

Thus it might not be suited for your use, it is definitely very useful
for other people.


More information about the dovecot mailing list