On Jul 12, 2009, at 2:21 PM, Ed W wrote:
I meant that you could have one server (one IP) and when a customer
connects they can connect to mail.theirdomain.com (CNAME or A to
mail.ourserver.com) and not see warnings about the SSL cert not
matching the address they are connecting to (ie the generic problem)
Right now it requires a cert containing every possible destination
server name on the single cert. This works, but it's hard to buy
such certs. TLS (in general) offers the *possibility* to figure out
what domain the customer is trying to connect to and present the
correct cert up front.
Sadly it still seems to break for email because you need the
customer to AUTH before upgrading to SSL and this isn't usually what
they do...
By an extension I assume you mean there is actually some standard
proposed to solve that bit of the puzzle, I wasn't even aware that
was on the cards?
There's draft-hazewinkel-imap-vhost-00 from 6 years ago.
As an aside, I see several other software projects now enabling the
compression option when establishing an SSL connection - any chance
you could look at enabling the relevant lines of code in Dovecot?
We had this conversation some months/years back and it appeared
simple on the dovecot side, but there is of course only still
minimal client support (but at least we can break the chicken-egg
situation)
I remember it was a few weeks ago :)
