[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Ken Murchison ken at oceana.com
Sat Jan 3 16:00:51 EST 2004 

Christos Soulios wrote:

> Quoting Rob Siemborski <rjs3 at andrew.cmu.edu>:
> 
> 
>>On Fri, 2 Jan 2004, Christos Soulios wrote:
>>
>>
>>>Rob Siemborski wrote:
>>>
>>>>On Fri, 2 Jan 2004, Paul Boven wrote:
>>>>
>>>>The only argument I currently completely understand for an IP-only based
>>>>setup is that of sites that need to distinguish ANONYMOUS users between
>>>>domains (and prehaps that is good enough).
>>>
>>>What about being able to determine the virtual domain based on the ip
>>>address and presenting different ssl certificate for each domain?  Even
>>>presenting different host name, one that is in accordance to the ssl
>>>certificate. All this happens long before authentication. Right? This
>>>would be really nice to implement.
>>
>>You can do that in a model that still allows users to add an @ sign and a
>>domain to their userid.
>>
> 
> 
> I cannot figure out how this can be achieved. And to make it clear, I will give
> an example. 
> 
> I have two domains domain1.com and domain2.com which are hosted by the hosts
> imap.domain1.com and imap.domain2.com respectively. These two servers must have
> two different certificates with cn=imap.domain1.com and cn=imap.domain2.com 
> 
> When the user connects to the imap.domain1.com and long before the user
> authentication takes place, the cyrus must be able to present the correct
> certificate. Because most mail clients will not accept to connect to the imap
> host imap.domain1.com and be presented a certificate with cn=imap.otherdomain.com
> 
> But how can cyrus be able to know which is the correct certificate to present?
> Of course, not by retrieving the domain by the userid suffix. Then it is too
> late. The authentication has already taken place. In my opinion this must have
> taken place by the time the user connects. And then the only way for cyrus to
> determine the correct virtual domain is _only_ using the ip address of the
> server interface.  
> 
> Am I right or am I missing something here?

IMO this should be handled by TLS.  There is an extension (RFC 3546) to 
handle this, but I don't think its had wide deployment yet.

-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the Info-cyrus mailing list