Re: Multiple certificate option SNI

2019-09-13 Thread Heiko Schlittermann via dovecot 
Maciej Milaszewski IQ PL via dovecot  (Fr 13 Sep 2019 
12:10:39 CEST):
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1

Use -servername  for testing.

--
Heiko


signature.asc
Description: PGP signature

Re: Multiple certificate option SNI

2019-09-13 Thread Jean-Daniel Dupas via dovecot 



> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot 
>  a écrit :
> 
> Hi
> I have some problem with SNI and dovecot 2.2.36.4
> 
> Server debian 9.x ad dovecot-2.2.36.4
> 
> default server ssl cert is a wildcard like *.domain.com (digicert)
> 
> ssl_ca = /var/control/cert.pem
> ssl_cert =  
> I added for test another domain (in dns to) for another ssl (letsencrypt)
> 
> from https://wiki.dovecot.org/SSL/DovecotConfiguration
> 
> like:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  < /etc/dovecot/ssl/imap.mail.test.domain.com.key
> }
> 
> 
> doveconf -n:
> 
> local_name imap.mail.test.domain.com {
>   ssl_cert =ssl_key =  # hidden, use -P to show it
> }
> 
> Now I test like:
> openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1
> 
> and dovecot show me default server cert (digicert) but not dedicated
> from letsencrypt
> 
> In DNS domain imap.mail.test.domain.com is not match *.domain.com
> 
> Any idea ?
> 

AFAIK, the -connect option of openssl is not use for SNI, but only for IP 
resolution.
To enable SNI, you have to explicitly pass it using '-servername' parameter.

Multiple certificate option SNI

2019-09-13 Thread Maciej Milaszewski IQ PL via dovecot 
Hi
I have some problem with SNI and dovecot 2.2.36.4

Server debian 9.x ad dovecot-2.2.36.4

default server ssl cert is a wildcard like *.domain.com (digicert)

ssl_ca = /var/control/cert.pem
ssl_cert = https://wiki.dovecot.org/SSL/DovecotConfiguration

like:

local_name imap.mail.test.domain.com {
  ssl_cert =

Re: Multiple certificate option

2019-09-10 Thread Greg Wildman via dovecot 
On Tue, 2019-09-10 at 08:41 +0200, Maciej Milaszewski IQ PL via dovecot
wrote:
> Hi
> This is for all dovecot version ?

Not sure. Any version of dovecot that builds it's config from the
conf.d folder will work. Not sure on the specific SSL certificate
syntax but I have been using the aformentioned config for the last
couple of years.


-- 
Greg


signature.asc
Description: This is a digitally signed message part

Re: Multiple certificate option

2019-09-10 Thread Maciej Milaszewski IQ PL via dovecot 
Hi
This is for all dovecot version ?

On 10.09.2019 08:05, Greg Wildman via dovecot wrote:
> On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
>> What is the best way to adopt multiple certs? 
> I have a setup that creates letsencrypt certs for each customer domain.
> To automate this I have the following at the end of conf.d/10-ssl.conf
>
>   !include ssl.d/*.conf
>
> This includes any .conf file under conf.d/ssl.d
>
> Now it is a simple matter to add and remove certificates for each
> domain as the letsencrypt job runs. Each config file looks like this
>
> $cat ssl.d/somedomain_co_za.conf
> local_name imap.somedomain.co.za {
>   ssl_cert =ssl_key  =  }
>
>
> YMMV.
>


-- 
Maciej Miłaszewski
Starszy Administrator Systemowy
IQ PL Sp. z o.o.

Biuro Obsługi Klienta:
e-mail: b...@iq.pl
tel.: +48 58 326 09 90 - 94
fax: +48 58 326 09 99

Dział pomocy: https://www.iq.pl/pomoc
Informacja dotycząca przetwarzania danych osobowych: https://www.iq.pl/kontakt

IQ PL Sp. z o.o. z siedzibą w Gdańsku (80-298), ul. Geodetów 16, KRS 
007725, Sąd rejestrowy: Sąd Rejonowy w Gdańsku VII Wydział KRS, kapitał 
zakładowy: 140.000 PLN, NIP 5832736211, REGON 192478853




signature.asc
Description: OpenPGP digital signature

Re: Multiple certificate option

2019-09-10 Thread Greg Wildman via dovecot 
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote:
> What is the best way to adopt multiple certs? 

I have a setup that creates letsencrypt certs for each customer domain.
To automate this I have the following at the end of conf.d/10-ssl.conf

  !include ssl.d/*.conf

This includes any .conf file under conf.d/ssl.d

Now it is a simple matter to add and remove certificates for each
domain as the letsencrypt job runs. Each config file looks like this

$cat ssl.d/somedomain_co_za.conf
local_name imap.somedomain.co.za {
  ssl_cert = 

signature.asc
Description: This is a digitally signed message part

Re: Multiple certificate option

2019-09-09 Thread Joseph Tam via dovecot 

On Sat, 7 Sep 2019, Remo Mattei wrote:


Thanks Michael I will check with the free cert lets encrypt to test it.


If all your certificate subjects are domains under your control,
such as when they are aliases of each other (e.g. smtp.domain.tld,
pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you
may find it more convenient to obtain a SAN (Subject Name Alternative)
certificate, which allows multiple subjects to be specified in one
certificate.  Alternatively, you can also get a wildcard domain if
all your subjects are in the same domain.

There are obvious advantages to this: one (and only one) certificate to
add to the dovecot configuration, one renewal every ~60 days requiring one
restart of the dovecot service (minimizes disruptions), etc.

A disadvantages is it's a little trickier to set up your ACME bot (and maybe
your DNS service) to get a wildcard/SAN certificate.

Joseph Tam

Re: Multiple certificate option

2019-09-07 Thread Remo Mattei via dovecot 
Thanks Michael I will check with the free cert lets encrypt to test it. 

Remo

> Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot 
>  ha scritto:
> 
> On 2019-09-07 12:25, remo--- via dovecot wrote:
>> What is the best way to adopt multiple certs?
>> Thanks.
> 
> /etc/dovecot/conf.d/10-ssl.conf
> 
> Primary SSL certificate:
> 
> # SSL/TLS support: yes, no, required. 
> #ssl = yes
> ssl = required
> 
> ("yes" or "required" - I use required)
> 
> # Minimum SSL protocol version to use. Potentially recognized values are 
> SSLv3,
> # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
> ssl_min_protocol = TLSv1
> 
> # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
> # dropping root privileges, so keep the key file unreadable by anyone but
> # root. Included doc/mkcert.sh can be used to easily generate self-signed
> # certificate, just make sure to update the domains in dovecot-openssl.cnf
> ssl_cert =  ssl_key =  
> Secondary SSL certificates (I add this at the bottom of the file)
> 
> local_name mail.domain2.tld {
> 
>ssl_cert = ssl_key =  
> }

Re: Multiple certificate option

2019-09-07 Thread Michael Hallager via dovecot 

On 2019-09-07 12:25, remo--- via dovecot wrote:

What is the best way to adopt multiple certs?

Thanks.


/etc/dovecot/conf.d/10-ssl.conf

Primary SSL certificate:

# SSL/TLS support: yes, no, required. 
#ssl = yes
ssl = required

("yes" or "required" - I use required)

# Minimum SSL protocol version to use. Potentially recognized values are 
SSLv3,

# TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used.
ssl_min_protocol = TLSv1

# PEM encoded X.509 SSL/TLS certificate and private key. They're opened 
before
# dropping root privileges, so keep the key file unreadable by anyone 
but
# root. Included doc/mkcert.sh can be used to easily generate 
self-signed
# certificate, just make sure to update the domains in 
dovecot-openssl.cnf

ssl_cert =

Multiple certificate option

2019-09-06 Thread remo--- via dovecot 
What is the best way to adopt multiple certs? 

Thanks.