[Dovecot] Dovecot replies with default SSL certificate instead of the vhost's

Reindl Harald h.reindl at thelounge.net
Mon Sep 16 15:36:49 EEST 2013

Am 16.09.2013 13:52, schrieb Jeroen Massar:
> On 2013-09-16 13:36, Reindl Harald wrote:

>> the main question remains:
>> * why is anybody doing this?
> Because IPv4 addresses are running out (or harder/pricy to get) and not
> all clients on IPv4 yet and thus you will have to have multiple certs on
> a single IP instead of an IP each per cert

the main question was why deal with different server names at all
and not about IPv4 and how many IP addresses you get

"mail.hosting-company.tld" with a certificate, PTR-record and A-Record
and you are done for 100, 1000, 10000, 100000 domains

>> * "the user wants "mail.hisdomain.tld" is *not* a valid reason and should
>>   lead to explain the user the stupidity of doing so for no benefit
> I don't see anything "stupid" about this. It is so much easier to
> explain to a user "your email is xxx at example.com, your mail client does
> the rest" than "oh, you need to use this mail server and that here and
> that there".


you need to privide the user his username and password anyway
so no there is no magical configuration at all
so what makes it hard to write one line more?

* mailserver: mail.hosting-company.tld
* username: you at yourdomain.tld
* password: yourpassword

> Thunderbird (and likely other clients) autoconfigure by guessing
> {mail|smtp|imap}.<domain> and thus a proper cert is nice to have there
> instead of "warning untrusted mail.example.net!" everytime

"mail.example.net" does not need to exist at all

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20130916/9af776d6/attachment.bin>

More information about the dovecot mailing list