dovecot - Aug 2008 - virtual domains and SSL certificates

Hi all,

I have dovecot 1.1.0 setup to access vpopmail accounts for several
virtual domains.
Dovecot IMAP is accessed through several virtual domains as well, ie
mail.foo.com an d mail.bar.com
The problem is that the configuration file specifies only one
certificate file for dovecot, which means only one Common Name, which
means one cannot provide one server cert that will match mail.foo.com
AND mail.bar.com, and either mary at foo.com or bob at bar.com will get a
"Security Error: Domain Name Mismatch" in their mail client when
connecting through IMAPS.

How can I avoid this domain name mismatch error?

Regards,
 Kacper Wysocki

Kacper Wysocki escreveu:
> Hi all,
>
> I have dovecot 1.1.0 setup to access vpopmail accounts for several
> virtual domains.
> Dovecot IMAP is accessed through several virtual domains as well, ie
> mail.foo.com an d mail.bar.com
> The problem is that the configuration file specifies only one
> certificate file for dovecot, which means only one Common Name, which
> means one cannot provide one server cert that will match mail.foo.com
> AND mail.bar.com, and either mary at foo.com or bob at bar.com will get a
> "Security Error: Domain Name Mismatch" in their mail client when
> connecting through IMAPS.
>
> How can I avoid this domain name mismatch error?
>   
a) Use a single host name for all domains.

b) If you really want different hostnames for all domains, you'll need 
one IP address for each domain. Dovecot can at this moment listen on 
several addresses, but it only uses one SSL certificate for all of them, 
which means you would need several dovecot instantes running.

Which leads us to the request: could it be that in a future version one 
could select a different certificate for each IP that Dovecot listens to?

On 8/7/2008, Eduardo M KALINOWSKI (eduardo at kalinowski.com.br)
wrote:
> Which leads us to the request: could it be that in a future version
> one could select a different certificate for each IP that Dovecot
> listens to?
If I am not mistaken, this is already on the radar for 2.0...

-- 

Best regards,

Charles

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2008-08-07, at 1143, Kacper Wysocki wrote:
>
> The problem is that the configuration file specifies only one
> certificate file for dovecot, which means only one Common Name, which
> means one cannot provide one server cert that will match mail.foo.com
> AND mail.bar.com, and either mary at foo.com or bob at bar.com will get a
> "Security Error: Domain Name Mismatch" in their mail client when
> connecting through IMAPS.
>
> How can I avoid this domain name mismatch error?
if you're using normal SSL (usually on port 993) each IP:PORT  
combination on the server can only have one SSL certificate. this is  
because the SSL negotiations happen before the internal protocol (in  
this case, IMAP) ever starts. the SSL protocol does not provide any  
way for the client to tell the server which hostname they're trying to  
connect to- the only thing the server knows is what IP and port the  
client connected to.

if you're using STARTTLS, the connection starts as normal, but instead  
of sending login credentials, the client sends a "STARTTLS" command of
some kind, the server says OK, and then starts SSL negotiations within  
the existing socket. in that kind of scenario it's theoretically  
possible for the client to tell the server which hostname it wants (so  
the server can select the appropriate certificate) however i don't  
think the IMAP protocol has that capability.

this is the same kind of issue people run into with other SSL- 
encrypted services, such as SMTP-SSL or HTTPS. the problem is that  
when the SSL protocol was designed, they didn't think about a server  
having a need for multiple certificates, and there are too many  
existing SSL implementations in use right now to think realistically  
about changing the protocol at such a basic level.

it might be possible to construct a special certificate with multiple  
CN= fields, or with multiple "alternate name" fields (i forget the X. 
509 key for this field) however these are non-standard, and there's no  
guarantee that all clients will honour, or even understand, such  
certificates.

what i do on my own server is just tell all of my clients that they  
must use the name "secure.jms1.net" as their IMAP-SSL and SMTP-SSL  
server names. it doesn't affect the appearance of their outgoing mail  
at all (other than the "Received" headers, which would happen anyway.)

- --------------------------------------------------------
| John M. Simpson  --  KG4ZOW  --  Programmer At Large |
| http://www.jms1.net/                 <jms1 at jms1.net> |
- --------------------------------------------------------
|   Hope for America  --  http://www.ronpaul2008.com/  |
- --------------------------------------------------------





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFImyNej42MmpAUrRoRAnAuAJ0VnIwa6jpkwODwlfcGJL6dK/c9AQCdF9lq
bQSR7ebRO4WBkV8HSpgMeC0=Gue5
-----END PGP SIGNATURE-----