Cert for ip range?

Mark Moseley moseleymark at gmail.com
Wed Nov 27 23:05:40 EET 2019


On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi <aki.tuomi at open-xchange.com>
wrote:

>
> > On 27/11/2019 21:28 Mark Moseley via dovecot <dovecot at dovecot.org>
> wrote:
> >
> >
> > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <
> dovecot at dovecot.org> wrote:
> > >
> > >  On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> > >  > Is it possible to configure a network for a cert instead of an ip?
> > >  >
> > >  > Something like this:
> > >  >
> > >  > local 192.0.2.0 {
> > >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> > >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> > >  > }
> > >  >
> > >  > Or
> > >  >
> > >  > local 192.0.2.0/24 (http://192.0.2.0/24) {
> > >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> > >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> > >  > }
> > >  >
> > >  > https://wiki.dovecot.org/SSL/DovecotConfiguration
> > >  >
> > >  >
> > >  >
> > >
> > >  Local part supports that.
> > >
> > >  Aki
> >
> >
> > On the same topic (though I can start a new thread if preferable), it
> doesn't appear that you can use wildcards/patterns in the 'local' name,
> unless I'm missing something--which is quite likely.
> >
> > If it's not possible currently, can I suggest adding that as a feature?
> That is, instead of having to list out all the various SNI hostnames that a
> cert should be used for (e.g. "local pop3.example.com (
> http://pop3.example.com) imap.example.com (http://imap.example.com)
> pops.example.com (http://pops.example.com) pop.example.com (
> http://pop.example.com) .... {" -- and on and on), it'd be handy to be
> able to just say "local *.example.com (http://example.com) {" and call it
> a day. I imagine there'd be a bit of a slowdown, since you'd have to loop
> through patterns on each connection (instead of what I assume is a hash
> lookup), esp for people with significant amounts of 'local's.
> >
>
> Actually that is supported, but you need to use v2.2.35 or later.
>
>
Ha, it literally *never* fails (that there's some option I've overlooked 10
times, before asking on the list)

'local' vs 'local_name'. Never noticed the difference before in the docs.
Might be worth adding a blurb in
https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name' takes
'*'-style wildcard (at least in the beginning of the hostname). I'll resume
my embarrassed silence now. :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191127/721502ae/attachment.html>


More information about the dovecot mailing list