-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2008-08-07, at 1143, Kacper Wysocki wrote:
The problem is that the configuration file specifies only one certificate file for dovecot, which means only one Common Name, which means one cannot provide one server cert that will match mail.foo.com AND mail.bar.com, and either [EMAIL PROTECTED] or [EMAIL PROTECTED] will get a "Security Error: Domain Name Mismatch" in their mail client when connecting through IMAPS. How can I avoid this domain name mismatch error?
if you're using normal SSL (usually on port 993) each IP:PORT combination on the server can only have one SSL certificate. this is because the SSL negotiations happen before the internal protocol (in this case, IMAP) ever starts. the SSL protocol does not provide any way for the client to tell the server which hostname they're trying to connect to- the only thing the server knows is what IP and port the client connected to.
if you're using STARTTLS, the connection starts as normal, but instead of sending login credentials, the client sends a "STARTTLS" command of some kind, the server says OK, and then starts SSL negotiations within the existing socket. in that kind of scenario it's theoretically possible for the client to tell the server which hostname it wants (so the server can select the appropriate certificate) however i don't think the IMAP protocol has that capability.
this is the same kind of issue people run into with other SSL- encrypted services, such as SMTP-SSL or HTTPS. the problem is that when the SSL protocol was designed, they didn't think about a server having a need for multiple certificates, and there are too many existing SSL implementations in use right now to think realistically about changing the protocol at such a basic level.
it might be possible to construct a special certificate with multiple CN= fields, or with multiple "alternate name" fields (i forget the X. 509 key for this field) however these are non-standard, and there's no guarantee that all clients will honour, or even understand, such certificates.
what i do on my own server is just tell all of my clients that they must use the name "secure.jms1.net" as their IMAP-SSL and SMTP-SSL server names. it doesn't affect the appearance of their outgoing mail at all (other than the "Received" headers, which would happen anyway.)
- -------------------------------------------------------- | John M. Simpson -- KG4ZOW -- Programmer At Large | | http://www.jms1.net/ <[EMAIL PROTECTED]> | - -------------------------------------------------------- | Hope for America -- http://www.ronpaul2008.com/ | - -------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFImyNej42MmpAUrRoRAnAuAJ0VnIwa6jpkwODwlfcGJL6dK/c9AQCdF9lq bQSR7ebRO4WBkV8HSpgMeC0= =Gue5 -----END PGP SIGNATURE-----
