Re: Multiple certificate option SNI
Maciej Milaszewski IQ PL via dovecot (Fr 13 Sep 2019 12:10:39 CEST): > openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1 Use -servername for testing. -- Heiko signature.asc Description: PGP signature
Re: Multiple certificate option SNI
> Le 13 sept. 2019 à 12:10, Maciej Milaszewski IQ PL via dovecot > a écrit : > > Hi > I have some problem with SNI and dovecot 2.2.36.4 > > Server debian 9.x ad dovecot-2.2.36.4 > > default server ssl cert is a wildcard like *.domain.com (digicert) > > ssl_ca = /var/control/cert.pem > ssl_cert = > I added for test another domain (in dns to) for another ssl (letsencrypt) > > from https://wiki.dovecot.org/SSL/DovecotConfiguration > > like: > > local_name imap.mail.test.domain.com { > ssl_cert =ssl_key = < /etc/dovecot/ssl/imap.mail.test.domain.com.key > } > > > doveconf -n: > > local_name imap.mail.test.domain.com { > ssl_cert =ssl_key = # hidden, use -P to show it > } > > Now I test like: > openssl s_client -connect imap.mail.test.domain.com:993 -tls1_1 > > and dovecot show me default server cert (digicert) but not dedicated > from letsencrypt > > In DNS domain imap.mail.test.domain.com is not match *.domain.com > > Any idea ? > AFAIK, the -connect option of openssl is not use for SNI, but only for IP resolution. To enable SNI, you have to explicitly pass it using '-servername' parameter.
Multiple certificate option SNI
Hi I have some problem with SNI and dovecot 2.2.36.4 Server debian 9.x ad dovecot-2.2.36.4 default server ssl cert is a wildcard like *.domain.com (digicert) ssl_ca = /var/control/cert.pem ssl_cert = https://wiki.dovecot.org/SSL/DovecotConfiguration like: local_name imap.mail.test.domain.com { ssl_cert =
Re: Multiple certificate option
On Tue, 2019-09-10 at 08:41 +0200, Maciej Milaszewski IQ PL via dovecot wrote: > Hi > This is for all dovecot version ? Not sure. Any version of dovecot that builds it's config from the conf.d folder will work. Not sure on the specific SSL certificate syntax but I have been using the aformentioned config for the last couple of years. -- Greg signature.asc Description: This is a digitally signed message part
Re: Multiple certificate option
Hi This is for all dovecot version ? On 10.09.2019 08:05, Greg Wildman via dovecot wrote: > On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote: >> What is the best way to adopt multiple certs? > I have a setup that creates letsencrypt certs for each customer domain. > To automate this I have the following at the end of conf.d/10-ssl.conf > > !include ssl.d/*.conf > > This includes any .conf file under conf.d/ssl.d > > Now it is a simple matter to add and remove certificates for each > domain as the letsencrypt job runs. Each config file looks like this > > $cat ssl.d/somedomain_co_za.conf > local_name imap.somedomain.co.za { > ssl_cert =ssl_key = } > > > YMMV. > -- Maciej Miłaszewski Starszy Administrator Systemowy IQ PL Sp. z o.o. Biuro Obsługi Klienta: e-mail: b...@iq.pl tel.: +48 58 326 09 90 - 94 fax: +48 58 326 09 99 Dział pomocy: https://www.iq.pl/pomoc Informacja dotycząca przetwarzania danych osobowych: https://www.iq.pl/kontakt IQ PL Sp. z o.o. z siedzibą w Gdańsku (80-298), ul. Geodetów 16, KRS 007725, Sąd rejestrowy: Sąd Rejonowy w Gdańsku VII Wydział KRS, kapitał zakładowy: 140.000 PLN, NIP 5832736211, REGON 192478853 signature.asc Description: OpenPGP digital signature
Re: Multiple certificate option
On Fri, 2019-09-06 at 17:25 -0700, remo--- via dovecot wrote: > What is the best way to adopt multiple certs? I have a setup that creates letsencrypt certs for each customer domain. To automate this I have the following at the end of conf.d/10-ssl.conf !include ssl.d/*.conf This includes any .conf file under conf.d/ssl.d Now it is a simple matter to add and remove certificates for each domain as the letsencrypt job runs. Each config file looks like this $cat ssl.d/somedomain_co_za.conf local_name imap.somedomain.co.za { ssl_cert = signature.asc Description: This is a digitally signed message part
Re: Multiple certificate option
On Sat, 7 Sep 2019, Remo Mattei wrote: Thanks Michael I will check with the free cert lets encrypt to test it. If all your certificate subjects are domains under your control, such as when they are aliases of each other (e.g. smtp.domain.tld, pop3.domain.tld, imap.domain.tld, webmail.myotherdomain.tld, ...), you may find it more convenient to obtain a SAN (Subject Name Alternative) certificate, which allows multiple subjects to be specified in one certificate. Alternatively, you can also get a wildcard domain if all your subjects are in the same domain. There are obvious advantages to this: one (and only one) certificate to add to the dovecot configuration, one renewal every ~60 days requiring one restart of the dovecot service (minimizes disruptions), etc. A disadvantages is it's a little trickier to set up your ACME bot (and maybe your DNS service) to get a wildcard/SAN certificate. Joseph Tam
Re: Multiple certificate option
Thanks Michael I will check with the free cert lets encrypt to test it. Remo > Il giorno 7 set 2019, alle ore 02:09, Michael Hallager via dovecot > ha scritto: > > On 2019-09-07 12:25, remo--- via dovecot wrote: >> What is the best way to adopt multiple certs? >> Thanks. > > /etc/dovecot/conf.d/10-ssl.conf > > Primary SSL certificate: > > # SSL/TLS support: yes, no, required. > #ssl = yes > ssl = required > > ("yes" or "required" - I use required) > > # Minimum SSL protocol version to use. Potentially recognized values are > SSLv3, > # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. > ssl_min_protocol = TLSv1 > > # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before > # dropping root privileges, so keep the key file unreadable by anyone but > # root. Included doc/mkcert.sh can be used to easily generate self-signed > # certificate, just make sure to update the domains in dovecot-openssl.cnf > ssl_cert = ssl_key = > Secondary SSL certificates (I add this at the bottom of the file) > > local_name mail.domain2.tld { > >ssl_cert = ssl_key = > }
Re: Multiple certificate option
On 2019-09-07 12:25, remo--- via dovecot wrote: What is the best way to adopt multiple certs? Thanks. /etc/dovecot/conf.d/10-ssl.conf Primary SSL certificate: # SSL/TLS support: yes, no, required. #ssl = yes ssl = required ("yes" or "required" - I use required) # Minimum SSL protocol version to use. Potentially recognized values are SSLv3, # TLSv1, TLSv1.1, and TLSv1.2, depending on the OpenSSL version used. ssl_min_protocol = TLSv1 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert =
Multiple certificate option
What is the best way to adopt multiple certs? Thanks.