dovecot - Aug 2010 - Different IPs should use different ssl-certs/keys

I don't understand how to use multiple keys/certs on different IPs 
without SNI.

http://wiki2.dovecot.org/SSL/DovecotConfiguration explains how to use 
different keys for different protocols like POP3 and IMAP. 

But how to bind those keys/ on IPs/Ports?

Looks like it is not possible to use ssl_cert inside 

service { inet_listener {} }


Is it still necessary to run multiple instances like it was in Dovecot 
1.2.x?

Peer



-- 

Heinlein Professional Linux Support GmbH
Linux: Akademie - Support - Hosting

http://www.heinlein-support.de
Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19

Zwangsangaben lt. ?35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Gesch?ftsf?hrer: Peer Heinlein  -- Sitz: Berlin

On Sun, Aug 29, 2010 at 3:07 PM, Peer Heinlein
<p.heinlein+dovecot at heinlein-support.de> wrote:
>
> I don't understand how to use multiple keys/certs on different IPs
> without SNI.
>
> http://wiki2.dovecot.org/SSL/DovecotConfiguration explains how to use
> different keys for different protocols like POP3 and IMAP.
>
> But how to bind those keys/ on IPs/Ports?
>
> Looks like it is not possible to use ssl_cert inside
>
> service { inet_listener {} }
>
>
> Is it still necessary to run multiple instances like it was in Dovecot
> 1.2.x?
After the initial ssl stuff (ssl=yes, etc), you just need a number of
'local' stanzas, each looking like:

local <ip address> {
	ssl_cert = </path/to/ssl.certificate
	ssl_key  = </path/to/ssl..key
	ssl_key_password = </path/to/ssl.key.password  # Optional, only
needed if key is encrypted
}

one after another. I haven't tried doing it with different ports
though; I just use iptables to DNAT ports to different private IPs.

And IIRC you still need a top-level "default" ssl_key and ssl_cert as
well, or it'll complain.