Multiple SSL Certs with virtual domains?

Dan White dwhite at olp.net
Thu Jan 21 09:28:22 EST 2010


On 21/01/10 03:35 -0600, Scott Lambert wrote:
>I am about to bring up the second of several virtual domains on my
>Cyrus-IMAPd 2.3.15 installation.  I've been Googling but can't seem
>to come up with a useful search string for finding posts talking
>about using multiple secure certificates for POP/IMAP connections to
>mail.domain1.com and mail.domainN.com.  We are rolling up multiple small
>mail servers into one host.
>
>The only thing I've been able to figure is that I will need to at least
>have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
>lines in cyrus.conf for each domain so that the secure certs can match
>the hostname configured in the user's existing mail program.  
>
>Is there a more elegant method than something like the below plan?
>
>SERVICES {
>  # add or remove based on preferences
>  imap        cmd="imapd -C imapd-domain1.conf" listen="mail.domain1.com:imap"
>  imaps        cmd="imapd -s -C imapd-domain1.conf" listen="mail.domain1.com:imaps"
>  pop3        cmd="pop3d -C imapd-domain1.conf" listen="mail.domain1.com:pop3"
>  pop3s        cmd="pop3d -s -C imapd-domain1.conf" listen="mail.domain1.com:pop3s"
>  imap        cmd="imapd -C imapd-domain2.conf" listen="mail.domain2.com:imap"
>  imaps        cmd="imapd -s -C imapd-domain2.conf" listen="mail.domain2.com:imaps"
>  pop3        cmd="pop3d -C imapd-domain2.conf" listen="mail.domain2.com:pop3"
>  pop3s        cmd="pop3d -s -C imapd-domain2.conf" listen="mail.domain2.com:pop3s"
>  ...
>  imap        cmd="imapd -C imapd-domainN.conf" listen="mail.domainN.com:imap"
>  imaps        cmd="imapd -s -C imapd-domainN.conf" listen="mail.domainN.com:imaps"
>  pop3        cmd="pop3d -C imapd-domainN.conf" listen="mail.domainN.com:pop3"
>  pop3s        cmd="pop3d -s -C imapd-domainN.conf" listen="mail.domainN.com:pop3s"
>  sieve         cmd="timsieved" listen="sieve" prefork=0
>
>  lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0

Scott,

You won't need to specify alternative imapd.conf configurations.

You can specify [servicename]_tls_cert_file, etc. within your primary
imapd.conf so that you have something like:

imap_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imap_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
imaps_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imaps_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key
pop3s_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3s_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key

imapb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
imapsb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapsb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
pop3b_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3b_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key
pop3sb_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3sb_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key

and in cyrus.conf you'd have service names like:
imap
imaps
pop3
pop3s
imapb
imapsb
pop3b
pop3sb

This is documented in:

http://cyrusimap.web.cmu.edu/imapd/install-configure.html

-- 
Dan White


More information about the Info-cyrus mailing list