Basically, server is not expecting any kind of domain on ssl handshake,
but what if the server can serve more than one cert, so that clients
using mail1.dom.gr and mail2.dom.gr , which resolve to the same dovecot
instance but from different network segments
could be certified.
mail1.dom.gr -> 10.65.0.45 (private one)
mail2.dom.gr -> 84.205.252.78
(random numbers)
In essence, it is the same dovecot instance.
Dimitrios
O/H Ed W έγραψε:
Δημήτριος Καραπιπέρης wrote:
So ,
on one dovecot instance, it is impossible to have two ssl
certificates for two distinct common names.
right?
You are kind of asking two questions here:
1) SSL as it stands maps one IP address to one certificate. The basic
issue is that, bar a few exceptions, there is no clear way to connect
to an IP address and say what "domain" you are expecting to see on the
other end, hence allowing the other end to present the domain specific
cert. This is currently not fixable, but you can work around it by
getting one cert with all your CNs on it (see Subject Alt Name)
2) Does Dovecot support running on 2 ips with different certs on each
IP? I think the answer is currently no? You could run two dovecot
instances though... I believe this is on the todo list for a later
version, but as yet not that high up the priority list? (Timo?) So
this bit is fixable in various ways
Does that help?
Ed W
