SSL/TLS certificates with virtual domains

[Goetz Babin-Ebell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nels Lindquist schrieb:
> Hi, all.
Hello Nels,

> I'm configuring a Cyrus IMAPD server for a number of virtual domains,
> and I'm concerned about a potential issue with SSL/TLS for the virtual
> hosts, which is that I can't find a way of specifying different
> certificates for each virtual host.

This question pops up occasionally in most list concerning SSL.

You can only use one certificate for one IP address / port pair.

If you have several IP addresses on your host,
you can run several insances of cyrus to listen on
the different IP addresses and every one of them having it's own
certificate.

> We strongly encourage users to use encryption, but I don't want mail
> clients throwing a certificate name mismatch error every time they
> connect to anything other than the default domain.
> 
> I checked the docs/man pages/FAQ but haven't found a per-domain way of
> configuring different cert/key files.
> 
> I'm hoping this functionality exists, but is as yet undocumented...
If all of your servers share the same IP address it is not possible.
If you have different IP addresses, use something like:

cyrus.conf:
SERVICES {
 imap   cmd="imapd" listen="imap" prefork=1
 imaps  cmd="imapd -s -C /etc/imapd1.conf" listen="192.168.0.1:imaps"
prefork=0
 imaps  cmd="imapd -s -C /etc/imapd2.conf" listen="192.168.0.2:imaps"
prefork=0

If you have one one IP address and want it to serve several domains,
you can do it with one certificate having an subjectAltName extension
containing the domain names you use.

At least the MUA I tested can handle that.

Bye

Goetz

- --
DMCA: The greed of the few outweights the freedom of the many
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGzgxy2iGqZUF3qPYRAlj7AKCGl+hukAiIQUzWNOT6LbQpt8ULVwCfaknZ
1StKHoasYmc5ykZwih1UPMI=
=NiD0
-----END PGP SIGNATURE-----