SNI support in SSL?

Scott Lambert lambert at lambertfam.org
Thu Jul 3 12:51:56 EDT 2014 

On Thu, Jul 03, 2014 at 01:08:38PM +0200, Tomasz Chmielewski wrote:
> I mean binding it to one IP, but being able to serve different SSL 
> certificates.
> 
> I think with Cyrus, one needs Subject Alternative Names (SANs) 
> certificate for that.

No, you can do it with seperate certs.  It is done in imap.conf
referencing service names in cyrus.conf.

# File containing the global certificate used for ALL services (imap,
# pop3, lmtp).
#
#tls_cert_file: <none>
tls_cert_file: /usr/local/etc/ssl.crt/primaryname.crt

# File containing the private key belonging to the global server
# certificate.
#
#tls_key_file: <none>
tls_key_file: /usr/local/etc/ssl.key/primaryname.key

# These refer to the "name" of the service in cyrus.conf
imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key

 
> On 2014-07-03 12:50, Niels dettenbach wrote:
> > Am 03.07.2014 12:36, schrieb Tomasz Chmielewski:
> >> However, I don't see a way to set Cyrus to listen on one IP
> > 
> > Binding cyrus daemons to specific IPs is possible (and even multiple
> > IPs) within cyrus.conf:
> > 
> > i.e. for IMAPs:
> > 
> > one IP:
> > 
> >   imaps         cmd="imapd -s" listen="my.host.ip:imaps" prefork=1 
> > maxchild=123
> > 
> > ALL IPs:
> > 
> >   imaps         cmd="imapd -s" listen="imaps" prefork=1 maxchild=123
> > 
> > or just multiple IPs (from brain, so pls doublecheck it):
> > 
> >   imaps         cmd="imapd -s" listen="my.host.ip1:imaps" prefork=1 
> > maxchild=123
> >   imaps         cmd="imapd -s" listen="my.host.ip2:imaps" prefork=1 
> > maxchild=123
> > 
> > 
> > or do you mean anything other?
> > 
> > 
> > hth a little,
> > 
> > cheerioh,
> > 
> > 
> > Niels.
> > 
> > 
> > 
> > ---
> > Niels Dettenbach
> > Syndicat IT&Internet
> > http://www.syndicat.com
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

-- 
Scott Lambert                    KC5MLE                       Unix SysAdmin
lambert at lambertfam.org

How to be a "computer expert," http://www.xkcd.com/627/

More information about the Info-cyrus mailing list