Hello all, By advance, I hope you'll excuse my probably not perfect English, which is not my mother tongue. I have always appreciated dovecot for this simplicity to setup and lightweight, but today, after many installations, I cannot find how to setup dovecot for my configuration. - I use only IMAPS to retrieve the mails. - I manage two domain names - I use CA-Cert certificates So,the question is : how to setup dovecot to select the appropriate certificate, according to the domain name I use when I retrieve mails using the IMAPS protocol ? Thanks. Andre Rodier.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 10 Jun 2008, Andre Rodier wrote:> - I use only IMAPS to retrieve the mails. > - I manage two domain names > - I use CA-Cert certificates > > So,the question is : how to setup dovecot to select the appropriate > certificate, according to the domain name I use when I retrieve mails > using the IMAPS protocol ?Well, it is NOT possible, unless you use two different ways to connect to the IMAP server - which basically means you need two IP addresses or two port numbers. Unfortunately, IMAP (and most other protocols out there) do not have the capability of Virtual Hosting as HTTP (with the Host attribute). That means: variant 1) IMAP over SSL the client resolves the symbolic IMAP server name via DNS, then connects to a port on the numerical IP, then SSL handshake takes place: There is no way for the server, with cert to use, because there is no "domain name" transferred to it. Then the user authentificates. variant 2) IMAP with STARTTLS the client resolves the symbolic IMAP server name via DNS, then connects to a port on the numerical IP, Dovecot returns the greeting, the client issues STARTTLS, then SSL handshake takes place: There is no way for the server, with cert to use, because there is no "domain name" transferred to it. Then the user authentificates. At least in variant 2) the IMAP standard could implement a way to pass the original host, but it isn't. So the server must pick a certificate for its own. Therefore, you cannot host virtual IMAPS servers, but need physically separated ones. Bye, - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFITnZXVJMDrex4hCIRAu16AKCTGca3JT526uTurcvOyZRmOMjajQCfY/7n Q7G5vzzM9JWQ1ULGGXocK2Y=SgDM -----END PGP SIGNATURE-----
On Tue, 10 Jun 2008 08:01:38 pm Andre Rodier wrote:> Hello all, > > By advance, I hope you'll excuse my probably not perfect English, which > is not my mother tongue.its pretty good.> > I have always appreciated dovecot for this simplicity to setup and > lightweight, but today, after many installations, I cannot find how to > setup dovecot for my configuration. > > - I use only IMAPS to retrieve the mails. > - I manage two domain names > - I use CA-Cert certificates > > So,the question is : how to setup dovecot to select the appropriate > certificate, according to the domain name I use when I retrieve mails > using the IMAPS protocol ?It cannot. To do so would require "Server Name Indication" rfc3546 to be implemented. It also would require email clients to support it. https://wiki.cacert.org/wiki/VhostTaskForce An alternate is to get both names in the one certificate. https://wiki.cacert.org/wiki/CSRGenerator -- Daniel Black -- Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097 GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part. URL: <http://dovecot.org/pipermail/dovecot/attachments/20080610/3ea54320/attachment-0002.bin>
Hello all, Thanks a lot for your answers, I was not sure it was possible, anyway, Thanks ?Steffen, to have take the time to detail to me the IMAP protocol, and Daniel for your advices about CSR and vhost task force, I'll try them later. Andr? Rodier.