Re: Certificate selection by IP

From: Andreas Winkelmann (no email)
Date: Fri Jan 12 2007 - 05:39:24 EST

  • Next message: Joseph Brennan: "Re: A script for fixing bare newlines in mailbox files?"

    On Friday 12 January 2007 10:35, Janne Peltonen wrote:

    > Is it possible to configure Cyrus so that the server certificate it
    > provides would depend on the IP used to connect to it?
    >
    > Our current system has users differentiated by faculty so that a user
    > configures her imaps server according to her faculty. Each faculty has
    > its own imaps server fqdn each of which corresponds to a different IP.
    > Each real physical server serves multiple faculties. Each server has
    > multiple IPs and a separate stunnel instance for each IP/fqdn/faculty.
    > Thus, we can have a separate certificate for each IP/fqdn/faculty, even
    > if there are many faculties served by one Cyrus server.
    >
    > We are upgrading our system, and want to get rid of the stunnels.
    > Moreover, we want to give our users a unified system image. So in theory
    > we could get by with only one fqdn for each user. But we'd like to avoid
    > having all our approx 50 000 users reconfigure their imaps clients. So
    > we'd like to have our unified server (or a cluster of servers) continue
    > providing imaps service on the faculty-based fqdns/IPs. Problem is, some
    > widely-used clients (notably Thunderbird/Icedove) are picky about the CN
    > of the certificate matching the fqdn they are using to connect. But if
    > Cyrus will give the same certificate no matter the IP it is connected
    > via, that's what'll happen.
    >
    > So. Can Cyrus be configured to give different certificates based on the
    > server IP?

    /etc/cyrus.conf

    imap1 cmd="imapd" listen="ip.add.ress.1:imap" prefork=1
    imap2 cmd="imapd" listen="ip.add.ress.2:imap" prefork=1
    ...

    /etc/imapd.conf

    imap1_tls_cert_file: xxx1
    imap2_tls_cert_file: xxx2
    ...

    should work. 

    -- 
	Andreas
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
  • Next message: Joseph Brennan: "Re: A script for fixing bare newlines in mailbox files?"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD