>> Would mail clients like Thunderbird need to understand SNI as well >> or would it be up to only the server daemon to present the right >> certificate? > > Both. SNI is a protocol extension. Both the client and the server > have to be explicitly coded to support it.
Thanks for the confirmation. According to this posting in 2011 the author noted that Thunderbird does initiate the SSL handshake with the hostname in plain text so it probably does do SNI. Promising. http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281 I also found this reference so I'll give it a try, even though the custom Debian packages I use most likely do not use GnuTLS. *** SNI If the IMAP server is supposed to work for different domain names, the TLS extension SNI comes into play. The way how Courier implements this is: Set TLS_CERTFILE to a base path, e.g. TLS_CERTFILE=/etc/ssl/private/imap.pem The concrete certificates must then be stored in files that are formed by appending the domain name to the base path, e.g. /etc/ssl/private/imap.pem.example.com Courier will look up the correct certificate based on the host name advertised during the TLS/SNI exchange ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users