dovecot - Apr 2022 - Can I set a different certificate per listen port?

> On 27/04/2022 22:14 Kees van Vloten <keesvanvloten at gmail.com>
wrote:
> 
>  
> Hi all,
> 
> I am trying to setup dovecot to listen to imaps on the local network and 
> through haproxy from the internet.
> 
> service imap-login {
>  ? inet_listener imaps {
>  ??? port = 993
>  ??? ssl = yes
>  ? }
>  ? inet_listener imaps_haproxy {
>  ??? haproxy = yes
>  ??? port = 10993
>  ??? ssl = yes
>  ? }
> }
> 
> Obviously the dns-name on the internet connection (10993) is different 
> than on the lan (993).
> 
> In the docs 
> (https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/) 
> I found multiple options, but unfortunately none of those have the 
> option to distinguish per listen port.
> 
> Is there a way to setup two different certificates for the two listeners?
> 
> - Kees
Hi!

Currently port is not supported. What we usually recommend here is that you use
haproxy to distribute connections to different local IP addresses and use

local 127.0.0.5/32 {
  ssl_cert=</path
  ssl_key=</path
}

Aki

Op 28-04-2022 om 07:30 schreef Aki Tuomi:
>> On 27/04/2022 22:14 Kees van Vloten <keesvanvloten at gmail.com>
wrote:
>>
>>   
>> Hi all,
>>
>> I am trying to setup dovecot to listen to imaps on the local network
and
>> through haproxy from the internet.
>>
>> service imap-login {
>>   ? inet_listener imaps {
>>   ??? port = 993
>>   ??? ssl = yes
>>   ? }
>>   ? inet_listener imaps_haproxy {
>>   ??? haproxy = yes
>>   ??? port = 10993
>>   ??? ssl = yes
>>   ? }
>> }
>>
>> Obviously the dns-name on the internet connection (10993) is different
>> than on the lan (993).
>>
>> In the docs
>>
(https://doc.dovecot.org/configuration_manual/dovecot_ssl_configuration/)
>> I found multiple options, but unfortunately none of those have the
>> option to distinguish per listen port.
>>
>> Is there a way to setup two different certificates for the two
listeners?
>>
>> - Kees
> Hi!
>
> Currently port is not supported. What we usually recommend here is that you
use haproxy to distribute connections to different local IP addresses and use
>
> local 127.0.0.5/32 {
>    ssl_cert=</path
>    ssl_key=</path
> }
>
> Aki
Hi Aki,

Would it then look like this?


Internet -> haproxy on dmz-server -> haproxy on mailserver -> dovecot
on
127.0.0.5


- Kees