Certificate selection by IP
Andreas Winkelmann
ml at awinkelmann.de
Fri Jan 12 05:39:24 EST 2007
On Friday 12 January 2007 10:35, Janne Peltonen wrote:
> Is it possible to configure Cyrus so that the server certificate it
> provides would depend on the IP used to connect to it?
>
> Our current system has users differentiated by faculty so that a user
> configures her imaps server according to her faculty. Each faculty has
> its own imaps server fqdn each of which corresponds to a different IP.
> Each real physical server serves multiple faculties. Each server has
> multiple IPs and a separate stunnel instance for each IP/fqdn/faculty.
> Thus, we can have a separate certificate for each IP/fqdn/faculty, even
> if there are many faculties served by one Cyrus server.
>
> We are upgrading our system, and want to get rid of the stunnels.
> Moreover, we want to give our users a unified system image. So in theory
> we could get by with only one fqdn for each user. But we'd like to avoid
> having all our approx 50 000 users reconfigure their imaps clients. So
> we'd like to have our unified server (or a cluster of servers) continue
> providing imaps service on the faculty-based fqdns/IPs. Problem is, some
> widely-used clients (notably Thunderbird/Icedove) are picky about the CN
> of the certificate matching the fqdn they are using to connect. But if
> Cyrus will give the same certificate no matter the IP it is connected
> via, that's what'll happen.
>
> So. Can Cyrus be configured to give different certificates based on the
> server IP?
/etc/cyrus.conf
imap1 cmd="imapd" listen="ip.add.ress.1:imap" prefork=1
imap2 cmd="imapd" listen="ip.add.ress.2:imap" prefork=1
...
/etc/imapd.conf
imap1_tls_cert_file: xxx1
imap2_tls_cert_file: xxx2
...
should work.
--
Andreas
More information about the Info-cyrus
mailing list