SSL/TLS certificates with virtual domains

Nels Lindquist nlindq at
Fri Aug 24 13:39:44 EDT 2007

Hello again!

Goetz Babin-Ebell wrote:

> This question pops up occasionally in most list concerning SSL.
> You can only use one certificate for one IP address / port pair.
> If you have several IP addresses on your host,
> you can run several insances of cyrus to listen on
> the different IP addresses and every one of them having it's own
> certificate.
> If all of your servers share the same IP address it is not possible.
> If you have different IP addresses, use something like:
> cyrus.conf:
>  imap   cmd="imapd" listen="imap" prefork=1
>  imaps  cmd="imapd -s -C /etc/imapd1.conf" listen=""
> prefork=0
>  imaps  cmd="imapd -s -C /etc/imapd2.conf" listen=""
> prefork=0

Okay, I tried this, but something isn't working quite right.

When I use openssl s_client to test the connection I get:


And then nothing.  This happens intermittently on either or both addresses.

In my maillog, I see the following:

Aug 24 11:25:20 mail2 imaps[1919]: imaps TLS negotiation failed: []
Aug 24 11:25:20 mail2 imaps[1919]: Fatal error: tls_start_servertls() failed
Aug 24 11:25:20 mail2 master[1793]: process 1919 exited, status 75
Aug 24 11:25:20 mail2 master[1793]: service imaps pid 1919 in BUSY
state: terminated abnormally

Any way I can turn up the logging and see what's wrong?

Nels Lindquist

More information about the Info-cyrus mailing list