[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Kendrick Vargas ken at hudat.com
Sat Jan 3 01:28:20 EST 2004

On Fri, 2 Jan 2004, Paul Boven wrote:

> Christos Soulios wrote:
> > Security is one thing. More than this, my opinion is that in order cyrus 
> > to be deployed in a true multi domain environment, and thus actually be 
> > used by ISPs, admins must be able to distribute the virtual domains 
> > according to the name of the server, users are connecting to. In such a 
> > multi domain environment, users have no abillity to choose their domain 
> > by appending a @domain to their userid.
> Security is a very important thing. And security to me means encryption, 
> not only of the authentication phase but of the whole session. Now with 
> HTTPS I know you loose the ability to support virtual domains, because 
> the TLS session must be setup before the requested URL is transferred. 
> This means you can only have one hostname per IP-adres as soon as you 
> use SSL. Wouldn't you run into the same problem when enabling virtual 
> domain support on cyrus?

I think you are confusing virtual domain support with apache virtual hosts 
style support. Virtual domain support (as I understand it) is just 
supposed to be the ability to maintain mailboxes seperated for each of a 
bunch of domains.

In this case, the SSL negotiations are handled between the client and the
server before any authentication happens. The only time this would matter 
to you is if you want your imap server to have different names, which has 
absolutely no bearing on the actual functionality of the virtual domain 
support. In that case, you could probably (through command line options 
specified in the cyrus.conf) specify different instances of imapd on each 
interface with different imapd.confs with seperate ssl configs. 

The only reason this matters is if you want each client to connect to 
imap.theirdomain.com (or some such) for imap/pop access, and additionally 
setup SSL for each one individually. Why anyone would do this over just 
having one imap access point is beyond me. In my reluctant experience, it 
just raises maintenance and support overhead.

Let he who is without clue kiss my ass

More information about the Info-cyrus mailing list