Thanks Michael I will check with the free cert lets encrypt to test it. Remo> Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot <dovecot at dovecot.org> ha scritto: > > ?On 2019-09-07 12:25, remo--- via dovecot wrote: >> What is the best way to adopt multiple certs? >> Thanks. > > /etc/dovecot/conf.d/10-ssl.conf > > Primary SSL certificate: > > # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> > #ssl = yes > ssl = required > > ("yes" or "required" - I use required) > > # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, > # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. > ssl_min_protocol = TLSv1 > > # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before > # dropping root privileges, so keep the key file unreadable by anyone but > # root. Included doc/mkcert.sh can be used to easily generate self-signed > # certificate, just make sure to update the domains in dovecot-openssl.cnf > ssl_cert = </etc/ssl/private/mail-domain-tld.crt > ssl_key = </etc/ssl/private/mail-domain-tld.key > > Secondary SSL certificates (I add this at the bottom of the file) > > local_name mail.domain2.tld { > > ssl_cert = </etc/ssl/private/mail-domain2-tld.crt > ssl_key = </etc/ssl/private/mail-domain2-tld.key > > }
On Sat, 7 Sep 2019, Remo Mattei wrote:> Thanks Michael I will check with the free cert lets encrypt to test it.If all your certificate subjects are domains under your control, such as when they are aliases of each other (e.g. smtp.domain.tld, pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you may find it more convenient to obtain a SAN (Subject Name Alternative) certificate, which allows multiple subjects to be specified in one certificate. Alternatively, you can also get a wildcard domain if all your subjects are in the same domain. There are obvious advantages to this: one (and only one) certificate to add to the dovecot configuration, one renewal every ~60 days requiring one restart of the dovecot service (minimizes disruptions), etc. A disadvantages is it's a little trickier to set up your ACME bot (and maybe your DNS service) to get a wildcard/SAN certificate. Joseph Tam <jtam.home at gmail.com>
Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = </var/control/cert.pem I added for test another domain (in dns to) for another ssl (letsencrypt) from https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name imap.mail.test.domain.com { ? ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem ? ssl_key =? < /etc/dovecot/ssl/imap.mail.test.domain.com.key } doveconf -n: local_name imap.mail.test.domain.com { ? ssl_cert = </etc/dovecot/ssl/imap.mail.test.domain.com.pem ? ssl_key =? # hidden, use -P to show it } Now I test like: openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1 and dovecot show me default server cert (digicert) but not dedicated from letsencrypt In DNS domain imap.mail.test.domain.com is not match *.domain.com Any idea ?