>> Would mail clients like Thunderbird need to understand SNI as well
>> or would it be up to only the server daemon to present the right
>> certificate?
>
> Both. SNI is a protocol extension. Both the client and the server
> have to be explicitly coded to support it.

Thanks for the confirmation. According to this posting in 2011 the
author noted that Thunderbird does initiate the SSL handshake with
the hostname in plain text so it probably does do SNI. Promising.

http://forums.mozillazine.org/viewtopic.php?f=39&t=2316281

I also found this reference so I'll give it a try, even though the
custom Debian packages I use most likely do not use GnuTLS.

***

SNI

If the IMAP server is supposed to work for different domain names,
the TLS extension SNI comes into play. The way how Courier implements
this is:

Set TLS_CERTFILE to a base path, e.g.

TLS_CERTFILE=/etc/ssl/private/imap.pem

The concrete certificates must then be stored in files that are formed
by appending the domain name to the base path, e.g.

/etc/ssl/private/imap.pem.example.com

Courier will look up the correct certificate based on the host name
advertised during the TLS/SNI exchange


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to