[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without
defaultdomain?)
Ken Murchison
ken at oceana.com
Sat Jan 3 16:00:51 EST 2004
Christos Soulios wrote:
> Quoting Rob Siemborski <rjs3 at andrew.cmu.edu>:
>
>
>>On Fri, 2 Jan 2004, Christos Soulios wrote:
>>
>>
>>>Rob Siemborski wrote:
>>>
>>>>On Fri, 2 Jan 2004, Paul Boven wrote:
>>>>
>>>>The only argument I currently completely understand for an IP-only based
>>>>setup is that of sites that need to distinguish ANONYMOUS users between
>>>>domains (and prehaps that is good enough).
>>>
>>>What about being able to determine the virtual domain based on the ip
>>>address and presenting different ssl certificate for each domain? Even
>>>presenting different host name, one that is in accordance to the ssl
>>>certificate. All this happens long before authentication. Right? This
>>>would be really nice to implement.
>>
>>You can do that in a model that still allows users to add an @ sign and a
>>domain to their userid.
>>
>
>
> I cannot figure out how this can be achieved. And to make it clear, I will give
> an example.
>
> I have two domains domain1.com and domain2.com which are hosted by the hosts
> imap.domain1.com and imap.domain2.com respectively. These two servers must have
> two different certificates with cn=imap.domain1.com and cn=imap.domain2.com
>
> When the user connects to the imap.domain1.com and long before the user
> authentication takes place, the cyrus must be able to present the correct
> certificate. Because most mail clients will not accept to connect to the imap
> host imap.domain1.com and be presented a certificate with cn=imap.otherdomain.com
>
> But how can cyrus be able to know which is the correct certificate to present?
> Of course, not by retrieving the domain by the userid suffix. Then it is too
> late. The authentication has already taken place. In my opinion this must have
> taken place by the time the user connects. And then the only way for cyrus to
> determine the correct virtual domain is _only_ using the ip address of the
> server interface.
>
> Am I right or am I missing something here?
IMO this should be handled by TLS. There is an extension (RFC 3546) to
handle this, but I don't think its had wide deployment yet.
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the Info-cyrus
mailing list