Joined: 21 Jun 2006
|Posted: Fri Jan 22, 2016 12:23 pm Post subject: courier-imapd + gnutls + one public IP with multiple domains
Since years I am running Courier-IMAP and postfix for my mail in a simple setup. One public IP with a single hostname - easy as can be. Works great and I am happy.
Lately I had the need to introduce multiple domain names which lead me to using e.g. apache vhosts for hosting them on the single public IP. Also no issue including proper SSL certs per domain as I can easily specify a specific CertFile per vhost.
Postfix & Courier IMAP however are a problem when it comes to SSL Certs. With a dedicated IP per domain it should be easy according to the docs but with a single IP...
Is anyone out there who operates Courier-IMAP/postfix with multiple domain names on a single IP with SSL and no warning message on client side (regarding name mismatch at least)? If yes, some hints on how to configure Postfix and Courier?
In Courier config I found:
# VIRTUAL HOSTS (servers only):
# Due to technical limitations in the original SSL/TLS protocol, a dedicated
# IP address is required for each virtual host certificate. If you have
# multiple certificates, install each certificate file as
# $TLS_CERTFILE.aaa.bbb.ccc.ddd, where "aaa.bbb.ccc.ddd" is the IP address
# for the certificate's domain name. So, if TLS_CERTFILE is set to
# /etc/certificate.pem, then you'll need to install the actual certificate
# files as /etc/certificate.pem.192.168.0.2, /etc/certificate.pem.192.168.0.3
# and so on, for each IP address.
# GnuTLS only (servers only):
# GnuTLS implements a new TLS extension that eliminates the need to have a
# dedicated IP address for each SSL/TLS domain name. Install each certificate
# as $TLS_CERTFILE.domain, so if TLS_CERTFILE is set to /etc/certificate.pem,
# then you'll need to install the actual certificate files as
# /etc/certificate.pem.host1.example.com, /etc/certificate.pem.host2.example.com
# and so on.
# Note that this TLS extension also requires a corresponding support in the
# client. Older SSL/TLS clients may not support this feature.
# This is an experimental feature.
That sounded promising so I compiled courier with gnutls flag and tried the GnuTLS only hints above, means:
I placed my certs in the following locations:
But it simply says "/etc/courier-imap/imapd.pem" no such file upon startup (when running init-script start)
Any input is appreciated. Thanks!