Hello
Quick answer
On 03/05/2023 08:25, Wojtek wrote:
Hi,
quick questions:
1) does James support multiple certificates (so I can provide one for
each configured domain/hostname)?
No.
Mail is not a HTTP server. OSI level 7 protocols do NOT cary information
allowing to resolve domain (like a hostname in HTTP) upon establishing
connection. Only login would cary the email address which domain part
would allow resolving this. Needless to say: you MUST have SSL already
set up when authenticating... This information just come too late...
The only solution for IMAP would be to have one distinct port / address
per domain: not very practical..
Note: SMTP + STARTTLS would allow this as there is a first EHLO request
sent to request the capabilities hence STARTTLS would 'know' which
certificate to use...
Note: If you are building advanced email services, using JMAP, HTTP
backed, would be a natural fit where native HTTP tooling like NGinx
would allow configuring this like a charm without headache...
2) is it possible to update certificates without restarting (rest
endpoint)?
No. Contributing this might be huge work but welcomed... Please open a
JIRA on this...
Note:
-> STARTTLS is known to be less secure than upfront SSL CF
https://nostarttls.secvuln.info thus for new services I would advocate
anyway to NOT set up STARTTLS endpoints for your users, just SSL...
-> If you take STARTLS out then encryption become a transport problem,
handled at layer 4 by all common TCP proxies, which themselves would
support hot reload. Without any additional DEV in James.
Added benefits: SSL not done in Java means you would save your precious
CPU ;-)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
