[Dovecot] SSL Compatibility? SNI vs SAN (Subject Alternative Names) and multiple domains

Thomas Harold thomas-lists at nybeta.com
Thu Mar 17 06:10:16 EET 2011

On 3/16/2011 7:21 PM, Ed W wrote:
>> How big of an issue is a cert with half a dozen or a dozen SANs
>> attached?  Do most mail clients handle that sort of certificate properly
>> in order to access their mailboxes?
> I think it's been discussed here before, but roughly speaking yes it
> works fine.  I use it on my mailservers and don't obviously see problems
> with common clients.

I had looked through my mail archives back through 2008, found a threads 
on the topic.

For posterity's sake (and if anyone wants to dig those up)... One from 
Jan 2010 titled "Dovecot version 2 and multiple SSL certificates" which 
is covered in the Wiki (using SNI).  Prior to that was a topic from Dec 
2009 titled "virtual domains and SSL certificates" (which boiled down to 
"wait for Dovecot 2.x").  And one from Nov 2009 titled "Dovecot SSL 
limitations" (which talks about SAN certificates).

I'm just leery of using SNI because it's from circa 2006, so is rather 
new.  So for the next few years it sounds like a SAN cert is still the 
way to go even with the downsides.

I guess the big issue with SAN certs is that I'll need to make sure to 
identify every DNS name that could possible be attached to that server's 
IP and/or services that I'll want to use SSL for (not just Dovecot for 
POP3/IMAP, but also Postfix, PostgreSQL and Apache).

> I think in the archives you might find that there are a few less common
> clients which aren't happy, but I think all modern MS clients, and the
> other big alternatives are fine?

I suspect so, all of my expected users are either using Thunderbird 3.x 
or fairly modern versions of MS Outlook (2003+).  The rest can just use 
the webmail client.

> I bought from godaddy because it was quite cheap to get such a cert...

Leaning towards DigiCert at the moment, personally not a GoDaddy fan 
(and that's a whole different topic).  Verisign and Thawte were rather 
pricey compared to DigiCert.  Not terribly interested in the free certs 
because this SSL cert would also be used for non-company users and we 
don't want browser warnings to pop up.

> Good luck
> Ed W

Thanks.  I thought I understood this a few years ago when I did my first 
Dovecot + SSL install, but apparently I did not grasp some of the 
subtleties with regards to SSL vs STARTTLS.

More information about the dovecot mailing list