Thomas Hummel wrote: > Hello Timo, > > I'd like to check if my understanding of dovecot-1.2.x's SSL certificate > handling is correct : > > SSL does not provide the server any mechanism to choose which certificate > it must send relatively to the name the client is using. Thus, if you > want to > use different certificates, you have to listen to different addresses. > This is > an SSL limitation, not a dovecot nor IMAP limitation. > > This is the reason why it's possible to use different certificates for > IMAP > and POP3. But it seems to work only with those two : > > As a matter of fact, even if you listen to different addresses, how would > you tell dovecot to send this certificate for this address and that > certificate > for that address, since there is no IP dependent section (as in apache > IP-based > virtual host for instance) ? It seems the only way would be to have more > than > one instance of dovecot (several dovecot with different config files). > > The problem is that some clients may be configured with mail.my.domain, some > others with imap.my.domain, ...etc... Hence the need to have different > certificates with those different names as cn. >
Possibly off-topic from what the OP wants, but couldn't TLS Server Name Indication (SNI) be used to overcome the single server certificate limitation? AllenJB
