Re: [Dovecot] Multiple SSL certs question

2009-10-28 Thread Jean-Baptiste Vignaud 
 Oh, I didn't know this was already in OpenSSL. I'll see about adding
 support for it to v2.0. I'm not entirely sure how to make it
 configurable though. Perhaps instead of having:

 local_ip 1.2.3.4 {
  ssl_cert = /etc/ssl/certs/1.2.3.4
 }
 remote_ip 4.3.2.1 {
 }

 I could replace those with:

 local host.domain.org {
  ssl_cert = /etc/ssl/certs/1.2.3.4
 }
 remote host2.domain2.org {
 }

 and of course keep the IPs also working.

This would be great !

I searched the thunderbird bugzilla, it seems that they support it :
https://bugzilla.mozilla.org/show_bug.cgi?id=511921#c27

Re: [Dovecot] Multiple SSL certs question

2009-10-28 Thread Timo Sirainen 
On Wed, 2009-10-28 at 16:10 +0100, Jean-Baptiste Vignaud wrote:
  local host.domain.org {
   ssl_cert = /etc/ssl/certs/1.2.3.4
  }
  remote host2.domain2.org {
  }
 
  and of course keep the IPs also working.
 
 This would be great !

The above works now in v2.0 code tree.


signature.asc
Description: This is a digitally signed message part

Re: [Dovecot] Multiple SSL certs question

2009-10-27 Thread Timo Sirainen 
On Sat, 2009-10-24 at 13:35 +0200, Jean-Baptiste Vignaud wrote:
 Hello;
 
 I was reading the message how to config dovecot for multiple domains,
 multiple SSL certs, 

This works in v2.0, assuming you have separate IP for each.

 and conditional IP access -- with passwd-file passdb?, 

http://wiki.dovecot.org/PasswordDatabase/ExtraFields/AllowNets can be
added to passwd-file extra fields.

 and i was wondering if Dovecot could support the SNI
 extention of TLS ?

Oh, I didn't know this was already in OpenSSL. I'll see about adding
support for it to v2.0. I'm not entirely sure how to make it
configurable though. Perhaps instead of having:

local_ip 1.2.3.4 {
  ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote_ip 4.3.2.1 {
}

I could replace those with:

local host.domain.org {
  ssl_cert = /etc/ssl/certs/1.2.3.4
}
remote host2.domain2.org {
}

and of course keep the IPs also working.


signature.asc
Description: This is a digitally signed message part

[Dovecot] Multiple SSL certs question

2009-10-24 Thread Jean-Baptiste Vignaud 
Hello;

I was reading the message how to config dovecot for multiple domains,
multiple SSL certs, and conditional IP access -- with passwd-file
passdb?, and i was wondering if Dovecot could support the SNI
extention of TLS ?

SNI is Server Name Indication where during the TLS negotiation, the
client set the name of the server it tries to reach

I dont know if any imap/pop client support this yet, but this would be
a great feature for one IP/multiple virtual domains. Each SNI client
would have the correct certificate and not the main/generic' one.

It seems that mutt has a patch for that
http://www.mail-archive.com/mutt-...@mutt.org/msg05251.html