[POLL] Cyrus 2.2 virtdomains behavior (Was: global admin without defaultdomain?)

Rob Siemborski rjs3 at andrew.cmu.edu
Sat Jan 3 14:31:05 EST 2004


On Sat, 3 Jan 2004, Christos Soulios wrote:

> > You can do that in a model that still allows users to add an @ sign and a
> > domain to their userid.
>
> I cannot figure out how this can be achieved. And to make it clear, I will give
> an example.
>
> I have two domains domain1.com and domain2.com which are hosted by the hosts
> imap.domain1.com and imap.domain2.com respectively. These two servers must have
> two different certificates with cn=imap.domain1.com and cn=imap.domain2.com
>
> When the user connects to the imap.domain1.com and long before the user
> authentication takes place, the cyrus must be able to present the
> correct certificate. Because most mail clients will not accept to
> connect to the imap host imap.domain1.com and be presented a certificate
> with cn=imap.otherdomain.com

Sure.  But if they are looking for a certificate for imap.otherdomain.com,
why are they connecting to imap.domain1.com?  This has nothing to do with
what userid is presented.

> But how can cyrus be able to know which is the correct certificate to
> present? Of course, not by retrieving the domain by the userid suffix.
> Then it is too late. The authentication has already taken place. In my
> opinion this must have taken place by the time the user connects. And
> then the only way for cyrus to determine the correct virtual domain is
> _only_ using the ip address of the server interface.

I don't understand why this requires denying users access via the
user at domain login names.

Yes, they get the wrong certificate.  But then, why are they connecting to
the wrong interface in the first place?

-Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper





More information about the Info-cyrus mailing list