# SSL Configuration¶

For more details see:

disable_plaintext_auth = no


Should we allow plaintext authentication or require clients to always use SSL/TLS?

ssl_cert = </etc/dovecot/dovecot.crt
ssl_key = </etc/dovecot/dovecot.key


SSL certificate and SSL secret key files. You must use the < prefix so Dovecot reads the cert/key from the file. (Without < Dovecot assumes that the certificate is directly included in the dovecot.conf.) For using different SSL certificates for different IP addresses you can put them inside local {} blocks:

local 10.0.0.1 {
ssl_cert = </etc/dovecot/dovecot.crt
ssl_key = </etc/dovecot/dovecot.key
}
local 10.0.0.2 {
ssl_cert = </etc/dovecot/dovecot2.crt
ssl_key = </etc/dovecot/dovecot2.key
}


If you need different SSL certificates for IMAP and POP3 protocols, you can put them inside protocol {} blocks :

 local 10.0.0.1 {
protocol imap {
ssl_cert = </etc/dovecot/dovecot-imap.crt
ssl_key = </etc/dovecot/dovecot-imap.key
}
protocol pop3 {
ssl_cert = </etc/dovecot/dovecot-pop3.crt
ssl_key = </etc/dovecot/dovecot-pop3.key
}
}


Dovecot supports also using TLS SNI extension for giving different SSL certificates based on the server name when using only a single IP address, but the TLS SNI isn’t yet supported by all clients so that may not be very useful.

It’s anyway possible to configure it by using local_name imap.example.com {} blocks.