Δημήτριος Καραπιπέ
2009-Aug-25 13:11 UTC
[Dovecot] Two server certificates for two common names
Hi there! I have two DNS records mail1.domain.tld mail2.domain.tld I have issued SSL server Certificates for both my domain names. Is it possible to tell dovecot to use both , depending on client access; clients using the mail1.domain.tld be served by the mail1.domain.tld .key and .cert and those using mail2.domain.tld be served by the mail2.domain.tld .key and .cert Thanks in advance Dimitrios
Patrick Domack
2009-Aug-25 16:47 UTC
[Dovecot] Two server certificates for two common names
That is an ssl imposibility, and the current tls clients can't really do that either. The best way to do it is to use seperate ip's for mail1 and mail2. The only other option is to use a new certificate with subject-alt-names, but lots of email clients don't support that. Webbrowsers have for a long time now, but email is completely different. Quoting ????????? ??????????? <dimkar at thessaloniki.gr>:> Hi there! > > I have two DNS records > mail1.domain.tld > mail2.domain.tld > > I have issued SSL server Certificates for both my domain names. > Is it possible to tell dovecot to use both , depending on > client access; > clients using the mail1.domain.tld be served by the mail1.domain.tld > .key and .cert > and those using mail2.domain.tld be served by the mail2.domain.tld > .key and .cert > > Thanks in advance > Dimitrios
Δημήτριος Καραπιπέρης
2009-Aug-26 19:13 UTC
[Dovecot] Two server certificates for two common names
Basically, server is not expecting any kind of domain on ssl handshake, but what if the server can serve more than one cert, so that clients using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot instance but from different network segments could be certified. mail1.dom.gr -> 10.65.0.45 (private one) mail2.dom.gr -> 84.205.252.78 (random numbers) In essence, it is the same dovecot instance. Dimitrios O/H Ed W ??????:> ????????? ??????????? wrote: >> So , >> on one dovecot instance, it is impossible to have two ssl >> certificates for two distinct common names. >> right? >> > > You are kind of asking two questions here: > > 1) SSL as it stands maps one IP address to one certificate. The basic > issue is that, bar a few exceptions, there is no clear way to connect > to an IP address and say what "domain" you are expecting to see on the > other end, hence allowing the other end to present the domain specific > cert. This is currently not fixable, but you can work around it by > getting one cert with all your CNs on it (see Subject Alt Name) > > 2) Does Dovecot support running on 2 ips with different certs on each > IP? I think the answer is currently no? You could run two dovecot > instances though... I believe this is on the todo list for a later > version, but as yet not that high up the priority list? (Timo?) So > this bit is fixable in various ways > > Does that help? > > Ed W >
????????? ??????????? wrote:> Basically, server is not expecting any kind of domain on ssl > handshake, but what if the server can serve more than one cert, so > that clients > using mail1.dom.gr and mail2.dom.gr , which resolve to the same > dovecot instance but from different network segments > could be certified. > > mail1.dom.gr -> 10.65.0.45 (private one) > mail2.dom.gr -> 84.205.252.78 > (random numbers) > > In essence, it is the same dovecot instance.I should imagine that you can achieve this using an external SSL wrapper such as stunnel? OR You could use firewall rules to redirect incoming connections to different local ports depending on where the connection originates. Then setup appropriate config on each port to serve a different cert This setup does sound workable Ed W