Cert for ip range?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Cert for ip range?

Dovecot mailing list

Is it possible to configure a network for a cert instead of an ip?

Something like this:

local 192.0.2.0 {
    ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
}

Or

local 192.0.2.0/24 {
    ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
    ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
}

https://wiki.dovecot.org/SSL/DovecotConfiguration



Reply | Threaded
Open this post in threaded view
|

Re: Cert for ip range?

Dovecot mailing list

On 21.11.2019 23.57, Marc Roos via dovecot wrote:

> Is it possible to configure a network for a cert instead of an ip?
>
> Something like this:
>
> local 192.0.2.0 {
>     ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
>     ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
> }
>
> Or
>
> local 192.0.2.0/24 {
>     ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
>     ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
> }
>
> https://wiki.dovecot.org/SSL/DovecotConfiguration
>
>
>

Local part supports that.

Aki


Reply | Threaded
Open this post in threaded view
|

Re: Cert for ip range?

Dovecot mailing list
On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <[hidden email]> wrote:

On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> Is it possible to configure a network for a cert instead of an ip?
>
> Something like this:
>
> local 192.0.2.0 {
>     ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
>     ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
> }
>
> Or
>
> local 192.0.2.0/24 {
>     ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
>     ssl_key  = </etc/ssl/dovecot/imap-02.example.com.key.pem
> }
>
> https://wiki.dovecot.org/SSL/DovecotConfiguration
>
>
>

Local part supports that.

Aki


On the same topic (though I can start a new thread if preferable), it doesn't appear that you can use wildcards/patterns in the 'local' name, unless I'm missing something--which is quite likely.

If it's not possible currently, can I suggest adding that as a feature? That is, instead of having to list out all the various SNI hostnames that a cert should be used for (e.g. "local pop3.example.com imap.example.com pops.example.com pop.example.com .... {" -- and on and on), it'd be handy to be able to just say "local *.example.com {" and call it a day. I imagine there'd be a bit of a slowdown, since you'd have to loop through patterns on each connection (instead of what I assume is a hash lookup), esp for people with significant amounts of 'local's.

Reply | Threaded
Open this post in threaded view
|

Re: Cert for ip range?

Dovecot mailing list

> On 27/11/2019 21:28 Mark Moseley via dovecot <[hidden email]> wrote:
>
>
> On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <[hidden email]> wrote:
> >
> >  On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> >  > Is it possible to configure a network for a cert instead of an ip?
> >  >
> >  > Something like this:
> >  >
> >  > local 192.0.2.0 {
> >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> >  > }
> >  >
> >  > Or
> >  >
> >  > local 192.0.2.0/24 (http://192.0.2.0/24) {
> >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> >  > }
> >  >
> >  > https://wiki.dovecot.org/SSL/DovecotConfiguration
> >  >
> >  >
> >  >
> >  
> >  Local part supports that.
> >  
> >  Aki
>
>
> On the same topic (though I can start a new thread if preferable), it doesn't appear that you can use wildcards/patterns in the 'local' name, unless I'm missing something--which is quite likely.
>
> If it's not possible currently, can I suggest adding that as a feature? That is, instead of having to list out all the various SNI hostnames that a cert should be used for (e.g. "local pop3.example.com (http://pop3.example.com) imap.example.com (http://imap.example.com) pops.example.com (http://pops.example.com) pop.example.com (http://pop.example.com) .... {" -- and on and on), it'd be handy to be able to just say "local *.example.com (http://example.com) {" and call it a day. I imagine there'd be a bit of a slowdown, since you'd have to loop through patterns on each connection (instead of what I assume is a hash lookup), esp for people with significant amounts of 'local's.
>

Actually that is supported, but you need to use v2.2.35 or later.

Aki
Reply | Threaded
Open this post in threaded view
|

Re: Cert for ip range?

Dovecot mailing list
On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi <[hidden email]> wrote:

> On 27/11/2019 21:28 Mark Moseley via dovecot <[hidden email]> wrote:
>
>
> On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot <[hidden email]> wrote:
> >
> >  On 21.11.2019 23.57, Marc Roos via dovecot wrote:
> >  > Is it possible to configure a network for a cert instead of an ip?
> >  >
> >  > Something like this:
> >  >
> >  > local 192.0.2.0 {
> >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> >  > }
> >  >
> >  > Or
> >  >
> >  > local 192.0.2.0/24 (http://192.0.2.0/24) {
> >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
> >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
> >  > }
> >  >
> >  > https://wiki.dovecot.org/SSL/DovecotConfiguration
> >  >
> >  >
> >  >
> > 
> >  Local part supports that.
> > 
> >  Aki
>
>
> On the same topic (though I can start a new thread if preferable), it doesn't appear that you can use wildcards/patterns in the 'local' name, unless I'm missing something--which is quite likely.
>
> If it's not possible currently, can I suggest adding that as a feature? That is, instead of having to list out all the various SNI hostnames that a cert should be used for (e.g. "local pop3.example.com (http://pop3.example.com) imap.example.com (http://imap.example.com) pops.example.com (http://pops.example.com) pop.example.com (http://pop.example.com) .... {" -- and on and on), it'd be handy to be able to just say "local *.example.com (http://example.com) {" and call it a day. I imagine there'd be a bit of a slowdown, since you'd have to loop through patterns on each connection (instead of what I assume is a hash lookup), esp for people with significant amounts of 'local's.
>

Actually that is supported, but you need to use v2.2.35 or later.


Ha, it literally *never* fails (that there's some option I've overlooked 10 times, before asking on the list)

'local' vs 'local_name'. Never noticed the difference before in the docs. Might be worth adding a blurb in https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name' takes '*'-style wildcard (at least in the beginning of the hostname). I'll resume my embarrassed silence now. :)
Reply | Threaded
Open this post in threaded view
|

RE: Cert for ip range?

Dovecot mailing list
How can I bind the managesieve to the internal use network/interface?

service managesieve-login {
  inet_listener sieve {
    address = 192.168.10.0/24
    port = 4190
  }


-----Original Message-----
From: Mark Moseley via dovecot [mailto:[hidden email]]
Sent: woensdag 27 november 2019 22:06
To: Aki Tuomi
Cc: Mark Moseley via dovecot
Subject: Re: Cert for ip range?

On Wed, Nov 27, 2019 at 11:31 AM Aki Tuomi <[hidden email]>
wrote:



        > On 27/11/2019 21:28 Mark Moseley via dovecot
<[hidden email]> wrote:
        >
        >
        > On Tue, Nov 26, 2019 at 11:22 PM Aki Tuomi via dovecot
<[hidden email]> wrote:
        > >
        > >  On 21.11.2019 23.57, Marc Roos via dovecot wrote:
        > >  > Is it possible to configure a network for a cert instead of
an ip?
        > >  >
        > >  > Something like this:
        > >  >
        > >  > local 192.0.2.0 {
        > >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
        > >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
        > >  > }
        > >  >
        > >  > Or
        > >  >
        > >  > local 192.0.2.0/24 (http://192.0.2.0/24) {
        > >  > ssl_cert = </etc/ssl/dovecot/imap-02.example.com.cert.pem
        > >  > ssl_key = </etc/ssl/dovecot/imap-02.example.com.key.pem
        > >  > }
        > >  >
        > >  > https://wiki.dovecot.org/SSL/DovecotConfiguration
        > >  >
        > >  >
        > >  >
        > >  
        > >  Local part supports that.
        > >  
        > >  Aki
        >
        >
        > On the same topic (though I can start a new thread if
preferable), it doesn't appear that you can use wildcards/patterns in
the 'local' name, unless I'm missing something--which is quite likely.
        >
        > If it's not possible currently, can I suggest adding that as a
feature? That is, instead of having to list out all the various SNI
hostnames that a cert should be used for (e.g. "local pop3.example.com
(http://pop3.example.com) imap.example.com (http://imap.example.com)
pops.example.com (http://pops.example.com) pop.example.com
(http://pop.example.com) .... {" -- and on and on), it'd be handy to be
able to just say "local *.example.com (http://example.com) {" and call
it a day. I imagine there'd be a bit of a slowdown, since you'd have to
loop through patterns on each connection (instead of what I assume is a
hash lookup), esp for people with significant amounts of 'local's.
        >
       
        Actually that is supported, but you need to use v2.2.35 or later.
       
       


Ha, it literally *never* fails (that there's some option I've overlooked
10 times, before asking on the list)

'local' vs 'local_name'. Never noticed the difference before in the
docs. Might be worth adding a blurb in
https://wiki.dovecot.org/SSL/DovecotConfiguration that 'local_name'
takes '*'-style wildcard (at least in the beginning of the hostname).
I'll resume my embarrassed silence now. :)