Multiple SSL Certs with virtual domains?

Scott Lambert lambert at lambertfam.org
Thu Jan 21 18:41:26 EST 2010


On Thu, Jan 21, 2010 at 11:36:02AM +0100, Eric Luyten wrote:
> On Thu, January 21, 2010 11:27 am, Michael Menge wrote:
> > 
> > Hi,
> > 
> > Quoting Scott Lambert <lambert at lambertfam.org>:
> > 
> >> The only thing I've been able to figure is that I will need to at least
> >> have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
> >> lines in cyrus.conf for each domain so that the secure certs can match the
> >> hostname configured in the user's existing mail program.
> >>
> >> Is there a more elegant method than something like the below plan?
> >>
> >>
> >> SERVICES {
> >> # add or remove based on preferences
> >> imap        cmd="imapd -C imapd-domain1.conf" listen="mail.domain1.com:imap"
> >> imaps        cmd="imapd -s -C imapd-domain1.conf"
> >> listen="mail.domain1.com:imaps"
> >> pop3        cmd="pop3d -C imapd-domain1.conf" listen="mail.domain1.com:pop3"
> >> pop3s        cmd="pop3d -s -C imapd-domain1.conf"
> >> listen="mail.domain1.com:pop3s"
> >> imap        cmd="imapd -C imapd-domain2.conf" listen="mail.domain2.com:imap"
> >> imaps        cmd="imapd -s -C imapd-domain2.conf"
> >> listen="mail.domain2.com:imaps"
> >> pop3        cmd="pop3d -C imapd-domain2.conf" listen="mail.domain2.com:pop3"
> >> pop3s        cmd="pop3d -s -C imapd-domain2.conf"
> >> listen="mail.domain2.com:pop3s"
> >> ...
> >> imap        cmd="imapd -C imapd-domainN.conf" listen="mail.domainN.com:imap"
> >> imaps        cmd="imapd -s -C imapd-domainN.conf"
> >> listen="mail.domainN.com:imaps"
> >> pop3        cmd="pop3d -C imapd-domainN.conf" listen="mail.domainN.com:pop3"
> >> pop3s        cmd="pop3d -s -C imapd-domainN.conf"
> >> listen="mail.domainN.com:pop3s"
> >> sieve         cmd="timsieved" listen="sieve" prefork=0
> >>
> >> lmtpunix      cmd="lmtpd" listen="/var/imap/socket/lmtp" prefork=0 }
> >>
> >
> > You have to use different service name. Each service name may only
> > apeare once.

That seems obvious, now that you have pointed it out. ;-) Perhaps my
reading comprehension needs work, but I don't see the requirement
of uniqueness of the "name" parameter spelled out in cyrus.conf(5).
Perhaps I should build a documentation patch to help other people as dense as
me assuming such people exist. :-)
 
> Correct (I overlooked that, but it would have become pretty obvious when
> starting Cyrus :-)

Actually, no errors were shown... But I did have a problem I couldn't
figure out.

I initially had prefork=5 for the non-SSL wrapped entries.  After a
couple of minutes I had many sockets in FIN_WAIT_1 and FIN_WAIT_2 and
CLOSED and CLOSED_WAIT status.  After about 10 minutes, none of the
services were responding quickly enough for Nagios.

After I took out the prefork entries, the services on domain1 behaved
nicely.  The services on [127.0.0.1]:(110|143) and domain2:* took 20
to 60 seconds to display the banner.  The delay was highly variable.
I couldn't find any errors in imap.log.  But it's run several hours
without angering Nagios for domain1.
 
> As an aside, this will enable you to attribute log lines to the correct
> service, since Cyrus syslogs to one and the same facility.

Ah, very nice.  I was looking for any indications such as that in the
logs this morning.

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org



More information about the Info-cyrus mailing list