dovecot - Mar 2011 - SSL Compatibility? SNI vs SAN (Subject Alternative Names) and multiple domains

Getting ready to redo our mail server setup and I'm trying to wrap my 
head around the ins and outs and pratfalls involved in SSL, multiple 
domains, and Dovecot.  I've taken a look at:

http://wiki2.dovecot.org/SSL/DovecotConfiguration

My basic understanding at this point is that:

- With SSL for IMAP/POP3, it is limited to one certificate per IP 
address, because the SSL process starts as soon as the client opens the 
socket to the IP address.  In order to support multiple domains / server 
names, you have to rely on SAN (Subject Alternative Names) in the 
server's SSL certificate.

- If I use STARTTLS for IMAP/POP3 and Dovecot 2.x, then the SNI process 
will allow the client to specify that they want to talk to mail server 
XYZ and Dovecot will hand the correct certificate to the client. 
However, a lot of devices don't support SNI yet so this is fraught with 
peril and incompatibilities.

So it seems like if I have fewer IP addresses then mail server names, I 
should stick with a single SSL cert and use SANs.  (Wildcard certs are 
not an option due to the top level domain being different.)

How big of an issue is a cert with half a dozen or a dozen SANs 
attached?  Do most mail clients handle that sort of certificate properly 
in order to access their mailboxes?

Reference links:

http://www.digicert.com/subject-alternative-name-compatibility.htm

Hi
> How big of an issue is a cert with half a dozen or a dozen SANs
> attached?  Do most mail clients handle that sort of certificate properly
> in order to access their mailboxes?
I think it's been discussed here before, but roughly speaking yes it
works fine.  I use it on my mailservers and don't obviously see problems
with common clients.

I think in the archives you might find that there are a few less common
clients which aren't happy, but I think all modern MS clients, and the
other big alternatives are fine?

I bought from godaddy because it was quite cheap to get such a cert...

Good luck

Ed W

Do they work without any error messages with all the major MUAs? For
sending (SMTP) and receiving? (POP/IMAP) etc.

Thanks


On 17/03/11 1:34 PM, "David Ford" <david at blue-labs.org>
wrote:
>if you want cheap, startssl.com.  $0 certs available and they work fine
>w/ dovecot.
>
>-david
>