Certificate selection by IP

Janne Peltonen janne.peltonen at helsinki.fi
Fri Jan 12 04:35:55 EST 2007


Hi!

Is it possible to configure Cyrus so that the server certificate it
provides would depend on the IP used to connect to it?

Our current system has users differentiated by faculty so that a user
configures her imaps server according to her faculty. Each faculty has
its own imaps server fqdn each of which corresponds to a different IP.
Each real physical server serves multiple faculties. Each server has
multiple IPs and a separate stunnel instance for each IP/fqdn/faculty.
Thus, we can have a separate certificate for each IP/fqdn/faculty, even
if there are many faculties served by one Cyrus server.

We are upgrading our system, and want to get rid of the stunnels.
Moreover, we want to give our users a unified system image. So in theory
we could get by with only one fqdn for each user. But we'd like to avoid
having all our approx 50 000 users reconfigure their imaps clients. So
we'd like to have our unified server (or a cluster of servers) continue
providing imaps service on the faculty-based fqdns/IPs. Problem is, some
widely-used clients (notably Thunderbird/Icedove) are picky about the CN
of the certificate matching the fqdn they are using to connect. But if
Cyrus will give the same certificate no matter the IP it is connected
via, that's what'll happen.

So. Can Cyrus be configured to give different certificates based on the
server IP?

Thanks.


--Janne Peltonen
IMAP admin
Univ of Helsinki


More information about the Info-cyrus mailing list