NAJIMA Hiroki
2005-Jan-12 15:20 UTC
[Dovecot] REQUEST: Different port(protocol) should be able to use a different certification.
Hello,
I want to use a different certificate for a different port(protocol).
I searched http://wiki.dovecot.org/ and the mail archives. But such
mechanism were not found.
Could you implement a such mechanism?
Or already implemented it, please teach how to do.
I am assuming the following situations.
MailAddress: [users]@example.com
SMTP Server: smtp.example.com
POP3 Server: pop3.example.com
IMAP Server: imap.example.com
And
pop3, imap, smtp are alias of real.example.com
When use IMAPS, user connents imap.example.com
POP3S, user connents pop3.example.com
But one Certification file certificates only one FQDN.
For example, dovecot.conf written that
protocols = imaps pop3s
ssl_cert_file = /etc/ssl/certs/imap.example.com.cert.pem
ssl_key_file = /etc/ssl/private/imap.example.com.key.pem
# imap.example.com.cert.pem's CN is imap.example.com
In this pattern. MUA such as Thunderbird warn when connect pop3s because
FQDN is different.
I have an simple idea in this problem.
dovecot.conf
protocols = imaps pop3s
- ssl_cert_file = /etc/ssl/certs/imap.example.com.cert.pem
- ssl_key_file = /etc/ssl/private/imap.example.com.key.pem
# certification for imaps
+ imaps_ssl_cert_file = /etc/ssl/certs/imap.example.com.cert.pem
+ imaps_ssl_key_file = /etc/ssl/private/imap.example.com.key.pem
# certification for pop3s
+ pop3s_ssl_cert_file = /etc/ssl/certs/pop3.example.com.cert.pem
+ pop3s_ssl_key_file = /etc/ssl/private/pop3.example.com.key.pem
Dovecot uses imaps_ssl_cert/key whenever MUA connects imaps port, uses
pop3s_ssl_cert/key whenever MUA connected dovecot's pop3s port.
Could you discuss it?
#If it was already discussed, please show pointer(URL) that discussion.
Regards.
-----
NAJIMA Hiroki
Timo Sirainen
2005-Jan-13 13:24 UTC
[Dovecot] REQUEST: Different port(protocol) should be able to use a different certification.
On Thu, 2005-01-13 at 00:20 +0900, NAJIMA Hiroki wrote:> I want to use a different certificate for a different port(protocol). > I searched http://wiki.dovecot.org/ and the mail archives. But such > mechanism were not found. > Could you implement a such mechanism? > Or already implemented it, please teach how to do.With 1.0-tests it's possible to do: protocol imap { ssl_cert_file = .. ssl_key_file = .. } protocol pop3 { ssl_cert_file = .. ssl_key_file = .. } -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20050113/aeda8abd/attachment-0001.bin>
NAJIMA Hiroki
2005-Jan-14 07:06 UTC
[Dovecot] REQUEST: Different port(protocol) should be able to use a different certification.
Hello, Timo Sirainen wrote:> With 1.0-tests it's possible to do: > > protocol imap { > ssl_cert_file = .. > ssl_key_file = .. > } > > protocol pop3 { > ssl_cert_file = .. > ssl_key_file = .. > } >Thank you for information, and I apologize my careless search. I found discussion of same issue, "[Dovecot] dovecot with different POP3S / IMAPS Certs". I read test-61's configuration file. It seems good. Thanks ----- NAJIMA Hiroki