On Thursday, December 23 at 02:46 PM, quoth Andreas Aardal Hanssen: > On Thu, 23 Dec 2004, Andrea Riela wrote: > >But, if my server has mail.domain2.dom and mail.domain3.dom too, what > >I've to do? > >I've to use my ca file (that I've used to sign mail.domain1.dom > >mail.domain2.dom and mail.domain3.dom) in bincimap.conf? > > Hi, Andrea. I guess this is more of an SSL question than an IMAP question, > but the bottom line is that every domain you use needs a separate SSL > certificate, and that Binc IMAP must be set up to serve these domains on > separate interfaces, each server setting loading a separate pem file. > "Virtual domain" space or similar doesn't work with SSL. You'll see this > with Apache/SSL also.
To clarify Andy's answer... the reason you can only have a single SSL key per interface is because of when the key must be used. When you are connecting to an SSL-encrypted IMAP server (or web server, or smtp server, or whatever), you're generally encrypting your communication even from the very first byte. Even if you're not (say, you use STARTTLS or something similar), you're needing to encrypt your communication even before you have the opportunity to tell the server what domain you think you're talking to. Thus, there's no way for the server to know "ah, you think you're talking to mail.domain2.dom, not mail.domain1.dom, so I'll use domain2's key". > The easier solution is to use only one domain, but have it resolve to > several A records. This gives you the same flexibility with regards to > scaling. We have run into similar problems with our own server. What it has boiled down to is: each domain that *really* wants it's own SSL certificates gets it's own IP address, and the rest share an address and key. From the user's perspective, there's usually very little difference. ~Kyle -- The truth is that there are no things for which men will make such herculean efforts as the things of which they know they are unworthy. -- G. K. Chesterton
signature.asc
Description: Digital signature
