SNI support in SSL?

Tomasz Chmielewski tch at virtall.com
Thu Jul 3 13:01:05 EDT 2014


Thanks.

I see something similar in documentation:

http://cyrusimap.org/docs/cyrus-imapd/2.4.17/install-configure.php

      Optionally, you can use separate certificates and key files for 
each service:

      [servicename]_tls_cert_file: /var/imap/imap-server.pem
      [servicename]_tls_key_file: /var/imap/imap-server.pem

      "servicename" here refers to the name of the service as specified 
in cyrus.conf.
      It is not necessarily the name of the binary.


However, it gives no examples.

So assuming I have the following services defined:

         imap            cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 
maxchild=100
         imaps           cmd="imapd -s -U 1" listen="1.2.3.4:imaps" 
prefork=0 maxchild=100
         pop3            cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 
maxchild=50
         pop3s           cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" 
prefork=0 maxchild=50

and using your suggested entries to imap.conf:

  imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
  imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
  imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
  imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
  pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
  pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
  pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
  pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key


How would my cyrus.conf services look like?

         imap            cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 
maxchild=100
         imaps           cmd="imapd -s -U 1" listen="1.2.3.4:imaps" 
prefork=0 maxchild=100
         pop3            cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 
maxchild=50
         pop3s           cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" 
prefork=0 maxchild=50

         imap_secondary            cmd="imapd -U 1" listen="1.2.3.4:imap" 
prefork=0 maxchild=100
         imaps_secondary           cmd="imapd -s -U 1" 
listen="1.2.3.4:imaps" prefork=0 maxchild=100
         pop3_secondary            cmd="pop3d -U 1" listen="1.2.3.4:pop3" 
prefork=0 maxchild=50
         pop3s_secondary           cmd="pop3d -s -U 1" 
listen="1.2.3.4:pop3s" prefork=0 maxchild=50


Wouldn't this make cyrus refuse to start two imapd processes on 
1.2.3.4:imaps?

-- 
Tomasz Chmielewski
http://www.sslrack.com

On 2014-07-03 18:51, Scott Lambert wrote:
> On Thu, Jul 03, 2014 at 01:08:38PM +0200, Tomasz Chmielewski wrote:
>> I mean binding it to one IP, but being able to serve different SSL
>> certificates.
>> 
>> I think with Cyrus, one needs Subject Alternative Names (SANs)
>> certificate for that.
> 
> No, you can do it with seperate certs.  It is done in imap.conf
> referencing service names in cyrus.conf.
> 
> # File containing the global certificate used for ALL services (imap,
> # pop3, lmtp).
> #
> #tls_cert_file: <none>
> tls_cert_file: /usr/local/etc/ssl.crt/primaryname.crt
> 
> # File containing the private key belonging to the global server
> # certificate.
> #
> #tls_key_file: <none>
> tls_key_file: /usr/local/etc/ssl.key/primaryname.key
> 
> # These refer to the "name" of the service in cyrus.conf
> imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> 
> 
>> On 2014-07-03 12:50, Niels dettenbach wrote:
>> > Am 03.07.2014 12:36, schrieb Tomasz Chmielewski:
>> >> However, I don't see a way to set Cyrus to listen on one IP
>> >
>> > Binding cyrus daemons to specific IPs is possible (and even multiple
>> > IPs) within cyrus.conf:
>> >
>> > i.e. for IMAPs:
>> >
>> > one IP:
>> >
>> >   imaps         cmd="imapd -s" listen="my.host.ip:imaps" prefork=1
>> > maxchild=123
>> >
>> > ALL IPs:
>> >
>> >   imaps         cmd="imapd -s" listen="imaps" prefork=1 maxchild=123
>> >
>> > or just multiple IPs (from brain, so pls doublecheck it):
>> >
>> >   imaps         cmd="imapd -s" listen="my.host.ip1:imaps" prefork=1
>> > maxchild=123
>> >   imaps         cmd="imapd -s" listen="my.host.ip2:imaps" prefork=1
>> > maxchild=123
>> >
>> >
>> > or do you mean anything other?
>> >
>> >
>> > hth a little,
>> >
>> > cheerioh,
>> >
>> >
>> > Niels.
>> >
>> >
>> >
>> > ---
>> > Niels Dettenbach
>> > Syndicat IT&Internet
>> > http://www.syndicat.com
>> ----
>> Cyrus Home Page: http://www.cyrusimap.org/
>> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
>> To Unsubscribe:
>> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


More information about the Info-cyrus mailing list