[Dovecot] SSL Compatibility? SNI vs SAN (Subject Alternative Names) and multiple domains

Thomas Harold thomas-lists at nybeta.com
Wed Mar 16 21:44:31 EET 2011

Getting ready to redo our mail server setup and I'm trying to wrap my 
head around the ins and outs and pratfalls involved in SSL, multiple 
domains, and Dovecot.  I've taken a look at:


My basic understanding at this point is that:

- With SSL for IMAP/POP3, it is limited to one certificate per IP 
address, because the SSL process starts as soon as the client opens the 
socket to the IP address.  In order to support multiple domains / server 
names, you have to rely on SAN (Subject Alternative Names) in the 
server's SSL certificate.

- If I use STARTTLS for IMAP/POP3 and Dovecot 2.x, then the SNI process 
will allow the client to specify that they want to talk to mail server 
XYZ and Dovecot will hand the correct certificate to the client. 
However, a lot of devices don't support SNI yet so this is fraught with 
peril and incompatibilities.

So it seems like if I have fewer IP addresses then mail server names, I 
should stick with a single SSL cert and use SANs.  (Wildcard certs are 
not an option due to the top level domain being different.)

How big of an issue is a cert with half a dozen or a dozen SANs 
attached?  Do most mail clients handle that sort of certificate properly 
in order to access their mailboxes?

Reference links:


More information about the dovecot mailing list