Maik Musall writes:
Hi folks,I have a courier-imap server running and I'm quite happy with it, except that the SSL certificate I need is bound to one specific hostname. I'd like to access the server from different clients under different names (like mail.foo.com and mail.bar.com), but whenever I use any other hostname than specified in the certificate, I get a log message "Server CommonName mismatch" in fetchmail. I don't want my users to bother with this warning message, but I don't want them to use a hostname of another domain, either. I didn't see any possibility to create different certificates for the different domains. Did I oversee something?
You oversaw a known technical flaw in SSL, which cannot validate multiple hostnames on the same IP address. This applies equally well to IMAP, HTTP, or any other protocol.
Each hostname must have a dedicated IP address, and Courier supports this, by naming each certificate as $CERTFILE.aaa.bbb.ccc.ddd, where aaa.bbb.ccc.ddd is the IP address that corresponds to the hostname. Someday, perhaps, this will even be documented…
pgpHggVptZruo.pgp
Description: PGP signature
