Hello; I was reading the message "how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?", and i was wondering if Dovecot could support the SNI extention of TLS ? SNI is Server Name Indication where during the TLS negotiation, the client set the name of the server it tries to reach I dont know if any imap/pop client support this yet, but this would be a great feature for one IP/multiple virtual domains. Each SNI client would have the correct certificate and not the "main/generic' one. It seems that mutt has a patch for that http://www.mail-archive.com/mutt-dev at mutt.org/msg05251.html
On Sat, 2009-10-24 at 13:35 +0200, Jean-Baptiste Vignaud wrote:> Hello; > > I was reading the message "how to config dovecot for multiple domains, > multiple SSL certs,This works in v2.0, assuming you have separate IP for each.> and conditional IP access -- with passwd-file passdb?",http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets can be added to passwd-file extra fields.> and i was wondering if Dovecot could support the SNI > extention of TLS ?Oh, I didn't know this was already in OpenSSL. I'll see about adding support for it to v2.0. I'm not entirely sure how to make it configurable though. Perhaps instead of having: local_ip 1.2.3.4 { ssl_cert = </etc/ssl/certs/1.2.3.4 } remote_ip 4.3.2.1 { } I could replace those with: local host.domain.org { ssl_cert = </etc/ssl/certs/1.2.3.4 } remote host2.domain2.org { } and of course keep the IPs also working. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091027/d1a9af80/attachment-0002.bin>
> Oh, I didn't know this was already in OpenSSL. I'll see about adding > support for it to v2.0. I'm not entirely sure how to make it > configurable though. Perhaps instead of having: > > local_ip 1.2.3.4 { > ?ssl_cert = </etc/ssl/certs/1.2.3.4 > } > remote_ip 4.3.2.1 { > } > > I could replace those with: > > local host.domain.org { > ?ssl_cert = </etc/ssl/certs/1.2.3.4 > } > remote host2.domain2.org { > } > > and of course keep the IPs also working.This would be great ! I searched the thunderbird bugzilla, it seems that they support it : https://bugzilla.mozilla.org/show_bug.cgi?id=511921#c27