dovecot - Aug 2009 - Two server certificates for two common names

Hi there!

I have two DNS records
  mail1.domain.tld
  mail2.domain.tld

I have issued SSL server Certificates for both my domain names.
Is it possible to tell dovecot to use both , depending on
client access;
clients using the mail1.domain.tld be served by the mail1.domain.tld 
.key and .cert
and those using mail2.domain.tld be served by the mail2.domain.tld  .key 
and .cert

Thanks in advance
Dimitrios

That is an ssl imposibility, and the current tls clients can't really  
do that either. The best way to do it is to use seperate ip's for  
mail1 and mail2.

The only other option is to use a new certificate with  
subject-alt-names, but lots of email clients don't support that.  
Webbrowsers have for a long time now, but email is completely different.

Quoting ????????? ??????????? <dimkar at thessaloniki.gr>:
> Hi there!
>
> I have two DNS records
>  mail1.domain.tld
>  mail2.domain.tld
>
> I have issued SSL server Certificates for both my domain names.
> Is it possible to tell dovecot to use both , depending on
> client access;
> clients using the mail1.domain.tld be served by the mail1.domain.tld
> .key and .cert
> and those using mail2.domain.tld be served by the mail2.domain.tld
> .key and .cert
>
> Thanks in advance
> Dimitrios

Basically, server is not expecting any kind of domain on ssl handshake, 
but what if the server can serve more than one cert, so that clients
using  mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot 
instance but from different network segments
could be certified.

mail1.dom.gr -> 10.65.0.45  (private one)
mail2.dom.gr -> 84.205.252.78
(random numbers)

In essence, it is the same dovecot instance.

Dimitrios

O/H Ed W ??????:
> ????????? ??????????? wrote:
>> So ,
>> on one dovecot instance, it is impossible to have two ssl 
>> certificates for two distinct common names.
>> right?
>>
>
> You are kind of asking two questions here:
>
> 1) SSL as it stands maps one IP address to one certificate.  The basic 
> issue is that, bar a few exceptions, there is no clear way to connect 
> to an IP address and say what "domain" you are expecting to see
on the
> other end, hence allowing the other end to present the domain specific 
> cert.  This is currently not fixable, but you can work around it by 
> getting one cert with all your CNs on it (see Subject Alt Name)
>
> 2) Does Dovecot support running on 2 ips with different certs on each 
> IP?  I think the answer is currently no?  You could run two dovecot 
> instances though...  I believe this is on the todo list for a later 
> version, but as yet not that high up the priority list? (Timo?)  So 
> this bit is fixable in various ways
>
> Does that help?
>
> Ed W
>

????????? ??????????? wrote:
> Basically, server is not expecting any kind of domain on ssl 
> handshake, but what if the server can serve more than one cert, so 
> that clients
> using  mail1.dom.gr and mail2.dom.gr , which resolve to the same 
> dovecot instance but from different network segments
> could be certified.
>
> mail1.dom.gr -> 10.65.0.45  (private one)
> mail2.dom.gr -> 84.205.252.78
> (random numbers)
>
> In essence, it is the same dovecot instance.
I should imagine that you can achieve this using an external SSL wrapper 
such as stunnel?

OR

You could use firewall rules to redirect incoming connections to 
different local ports depending on where the connection originates.  
Then setup appropriate config on each port to serve a different cert

This setup does sound workable

Ed W