imaps with multiple hostnames

Ken Murchison ken at oceana.com
Wed Nov 19 10:00:55 EST 2003 

Craig Ringer wrote:

> Hi folks
> 
> I'm running into a bit of an issue setting up Cyrus for TLS security, 
> and was hoping someone could help me out.
> 
> The host must be accessible using two different hostnames - one for 
> external IMAPs via our gateway, and one for internal IMAPs with the 
> host's name on our internal network. This is causing problems with SSL 
> certs, and I was hoping there was a way to create a single certificate 
> with multiple allowed hostnames.
> 
> The only option I see otherwise is to host a modified version of our 
> externally-visible DNS on our internal DNS server and provide a 
> different value for 'mail.postnewspapers.com.au' (or whatever) that 
> points to the internal host. I'm currently using a fake domain 
> (.localnet) for internal DNS and using the real domain for externally 
> visible public services only.
> 
> The gateway will just be forwarding IMAPs traffic to the internal mail 
> server using firewall rules.
> 
> Ideally, I'd like to be able to set up a cert to allow both (say) 
> 'mail.localnet' and 'mail.postnewspapers.com.au' as hostnames. If this 
> is possible, are there any issues with doing so such as some mail 
> clients not recognising the two hostnames?
> 
> Any other suggestions?

Ideally, your client would use the Server Name Indication extension in 
RFC 3546.  I don't know if any client use this, and even if they do, I 
haven't checked to see if OpenSSL supports it yet.

Otherwise, you could run two separate imapds listening on different IP 
addresses and using different config files (so you can specify different 
certs.

Your cyrus.conf could look something like this:

   imaps     cmd="imapd -s" listen="mail.postnewspapers.com.au"
   imapsint  cmd="imapd -s -C /etc/imapd.conf.int" listen="mail.localnet"

The internal and external DNS names should obviously resolve to 
different IP addresses.  The contents of imapd.conf and imapd.conf.int 
would be the same except for the tls_* options.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list