Can I set a different certificate per listen port?

Kees van Vloten keesvanvloten at gmail.com
Thu Apr 28 08:01:00 UTC 2022


Op 28-04-2022 om 07:30 schreef Aki Tuomi:
>> On 27/04/2022 22:14 Kees van Vloten <keesvanvloten at gmail.com> wrote:
>>
>>   
>> Hi all,
>>
>> I am trying to setup dovecot to listen to imaps on the local network and
>> through haproxy from the internet.
>>
>> service imap-login {
>>     inet_listener imaps {
>>       port = 993
>>       ssl = yes
>>     }
>>     inet_listener imaps_haproxy {
>>       haproxy = yes
>>       port = 10993
>>       ssl = yes
>>     }
>> }
>>
>> Obviously the dns-name on the internet connection (10993) is different
>> than on the lan (993).
>>
>> In the docs
>> (https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/)
>> I found multiple options, but unfortunately none of those have the
>> option to distinguish per listen port.
>>
>> Is there a way to setup two different certificates for the two listeners?
>>
>> - Kees
> Hi!
>
> Currently port is not supported. What we usually recommend here is that you use haproxy to distribute connections to different local IP addresses and use
>
> local 127.0.0.5/32 {
>    ssl_cert=</path
>    ssl_key=</path
> }
>
> Aki

Hi Aki,

Would it then look like this?


Internet -> haproxy on dmz-server -> haproxy on mailserver -> dovecot on 
127.0.0.5


- Kees





More information about the dovecot mailing list