Re: [Dovecot] Multiple ssl-certs on different ports with the same protocol
On 3.2.2014, at 11.40, myleetl...@gmx.de wrote: is it possible to use multiple ssl-certs on different _ports_ with the same protocol? No.
[Dovecot] Multiple ssl-certs on different ports with the same protocol
Hi,
is it possible to use multiple ssl-certs on different _ports_ with the same
protocol?
I know I can configure multiple certs with the local ip setting*.
But how is this (or similar) possible in v2.2.10:
local :100 {
protocol imap {
...
}
}
local :101 {
protocol imap {
...
}
}
This would be useful in a loadbalancing setup,
you don't waste IPs and the config files on different servers stay the same.
* [http://wiki2.dovecot.org/SSL/DovecotConfiguration]
Re: [Dovecot] Multiple SSL certs question
Oh, I didn't know this was already in OpenSSL. I'll see about adding
support for it to v2.0. I'm not entirely sure how to make it
configurable though. Perhaps instead of having:
local_ip 1.2.3.4 {
ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote_ip 4.3.2.1 {
}
I could replace those with:
local host.domain.org {
ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote host2.domain2.org {
}
and of course keep the IPs also working.
This would be great !
I searched the thunderbird bugzilla, it seems that they support it :
https://bugzilla.mozilla.org/show_bug.cgi?id=511921#c27
Re: [Dovecot] Multiple SSL certs question
On Wed, 2009-10-28 at 16:10 +0100, Jean-Baptiste Vignaud wrote:
local host.domain.org {
ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote host2.domain2.org {
}
and of course keep the IPs also working.
This would be great !
The above works now in v2.0 code tree.
signature.asc
Description: This is a digitally signed message part
Re: [Dovecot] Multiple SSL certs question
On Sat, 2009-10-24 at 13:35 +0200, Jean-Baptiste Vignaud wrote:
Hello;
I was reading the message how to config dovecot for multiple domains,
multiple SSL certs,
This works in v2.0, assuming you have separate IP for each.
and conditional IP access -- with passwd-file passdb?,
http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets can be
added to passwd-file extra fields.
and i was wondering if Dovecot could support the SNI
extention of TLS ?
Oh, I didn't know this was already in OpenSSL. I'll see about adding
support for it to v2.0. I'm not entirely sure how to make it
configurable though. Perhaps instead of having:
local_ip 1.2.3.4 {
ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote_ip 4.3.2.1 {
}
I could replace those with:
local host.domain.org {
ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote host2.domain2.org {
}
and of course keep the IPs also working.
signature.asc
Description: This is a digitally signed message part
[Dovecot] Multiple SSL certs question
Hello; I was reading the message how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?, and i was wondering if Dovecot could support the SNI extention of TLS ? SNI is Server Name Indication where during the TLS negotiation, the client set the name of the server it tries to reach I dont know if any imap/pop client support this yet, but this would be a great feature for one IP/multiple virtual domains. Each SNI client would have the correct certificate and not the main/generic' one. It seems that mutt has a patch for that http://www.mail-archive.com/mutt-...@mutt.org/msg05251.html
Re: [Dovecot] Multiple SSL certs
On Tue, 4 Mar 2008 20:44:21 -0800, Anil [EMAIL PROTECTED] wrote: Has anyone tried to set this up (multiple certs for multiple hostnames) with something like stunnel wrapper for SSL instead of using dovecot's SSL? Yes. Try something like this: stunnel -p /path/to/cert.pem -d thisimapdIP:993 -r localhost:143 Greetings -- Robert Sander Senior Manager Information Systems Epigenomics AGKleine Praesidentenstr. 110178 Berlin, Germany phone:+49-30-24345-0fax:+49-30-24345-555 http://www.epigenomics.com [EMAIL PROTECTED]
Re: [Dovecot] Multiple SSL certs
Hello, but i think that solution will have problems with TLS (TLS going through 143 port). 2008/3/10, [EMAIL PROTECTED] [EMAIL PROTECTED]: On Tue, 4 Mar 2008 20:44:21 -0800, Anil [EMAIL PROTECTED] wrote: Has anyone tried to set this up (multiple certs for multiple hostnames) with something like stunnel wrapper for SSL instead of using dovecot's SSL? Yes. Try something like this: stunnel -p /path/to/cert.pem -d thisimapdIP:993 -r localhost:143 Greetings -- Robert Sander Senior Manager Information Systems Epigenomics AGKleine Praesidentenstr. 110178 Berlin, Germany phone:+49-30-24345-0fax:+49-30-24345-555 http://www.epigenomics.com [EMAIL PROTECTED] -- Lampa
Re: [Dovecot] Multiple SSL certs
Hello, AFAIK it's planned for 2.x version. If you need run separate instance of dovecot (bind separate ip address and use separate certificate). I'm running this on 5 ip addresses and no problem. 2008/3/4, Daniel L. Miller [EMAIL PROTECTED]: Does 1.1 support multiple certs? -- Daniel -- Lampa
[Dovecot] Multiple SSL certs
Does 1.1 support multiple certs? -- Daniel
Re: [Dovecot] Multiple SSL certs
Has anyone tried to set this up (multiple certs for multiple hostnames) with something like stunnel wrapper for SSL instead of using dovecot's SSL? On Tue, Mar 4, 2008 at 2:10 PM, Lampa [EMAIL PROTECTED] wrote: Hello, AFAIK it's planned for 2.x version. If you need run separate instance of dovecot (bind separate ip address and use separate certificate). I'm running this on 5 ip addresses and no problem. 2008/3/4, Daniel L. Miller [EMAIL PROTECTED]: Does 1.1 support multiple certs? -- Daniel -- Lampa
Re: [Dovecot] Multiple SSL certs
On Fri, 2007-09-21 at 18:58 -0400, Noah Kantrowitz wrote:
I am trying to find a way to have the SSL cert used by Dovecot be
dependent on the local IP address. So far the only ways I have found is to
either have two different instances running (annoying because I would need
to argue with the init scripts a lot) or use the old, undocumented
server{} sections. Is the latter an acceptable way to do this, or is there
something better?
I've no idea if the server sections work. If they do, I guess you can
use them. Unfortunately there isn't any good way to do this right now.
I'm planning on leaving this to v2.0 which will have a more flexible
configuration system.
signature.asc
Description: This is a digitally signed message part
[Dovecot] Multiple SSL certs
I am trying to find a way to have the SSL cert used by Dovecot be
dependent on the local IP address. So far the only ways I have found is to
either have two different instances running (annoying because I would need
to argue with the init scripts a lot) or use the old, undocumented
server{} sections. Is the latter an acceptable way to do this, or is there
something better?
--Noah Kantrowitz
