SNI support in SSL?
Scott Lambert
lambert at lambertfam.org
Thu Jul 3 13:37:51 EDT 2014
First I have to appologize for not reading the original post closely
enough.
On Thu, Jul 03, 2014 at 07:01:05PM +0200, Tomasz Chmielewski wrote:
> Thanks.
>
> I see something similar in documentation:
>
> http://cyrusimap.org/docs/cyrus-imapd/2.4.17/install-configure.php
>
> Optionally, you can use separate certificates and key files for
> each service:
>
> [servicename]_tls_cert_file: /var/imap/imap-server.pem
> [servicename]_tls_key_file: /var/imap/imap-server.pem
>
> "servicename" here refers to the name of the service as specified
> in cyrus.conf.
> It is not necessarily the name of the binary.
>
>
> However, it gives no examples.
>
> So assuming I have the following services defined:
>
> imap cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 maxchild=100
> imaps cmd="imapd -s -U 1" listen="1.2.3.4:imaps" prefork=0 maxchild=100
> pop3 cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 maxchild=50
> pop3s cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" prefork=0 maxchild=50
>
> and using your suggested entries to imap.conf:
>
> imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
> pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt
> pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key
>
>
> How would my cyrus.conf services look like?
>
> imap cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0
> maxchild=100
> imaps cmd="imapd -s -U 1" listen="1.2.3.4:imaps"
> prefork=0 maxchild=100
> pop3 cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0
> maxchild=50
> pop3s cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s"
> prefork=0 maxchild=50
>
The secondary entries would have to be on a different IP, such as
1.2.3.5, or a different port number.
> imap_secondary cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 maxchild=100
> imaps_secondary cmd="imapd -s -U 1" listen="1.2.3.4:imaps" prefork=0 maxchild=100
> pop3_secondary cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 maxchild=50
> pop3s_secondary cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" prefork=0 maxchild=50
>
>
> Wouldn't this make cyrus refuse to start two imapd processes on
> 1.2.3.4:imaps?
Most likely. You would have to use a different IP or a different port.
If you want to do everything on the same IP and same port, you need the
SANs. I am sorry for adding noise to the thread by not reading closely
enough.
You can do different ports :
> imap_secondary cmd="imapd -U 1" listen="1.2.3.4:144" prefork=0 maxchild=100
> imaps_secondary cmd="imapd -s -U 1" listen="1.2.3.4:994" prefork=0 maxchild=100
> pop3_secondary cmd="pop3d -U 1" listen="1.2.3.4:111" prefork=0 maxchild=50
> pop3s_secondary cmd="pop3d -s -U 1" listen="1.2.3.4:996" prefork=0 maxchild=50
Or different IPs:
> imap_secondary cmd="imapd -U 1" listen="1.2.3.5:imap" prefork=0 maxchild=100
> imaps_secondary cmd="imapd -s -U 1" listen="1.2.3.5:imaps" prefork=0 maxchild=100
> pop3_secondary cmd="pop3d -U 1" listen="1.2.3.5:pop3" prefork=0 maxchild=50
> pop3s_secondary cmd="pop3d -s -U 1" listen="1.2.3.5:pop3s" prefork=0 maxchild=50
Or use Subject Alternate Name, or Wildcard certs.
--
Scott Lambert KC5MLE Unix SysAdmin
lambert at lambertfam.org
More information about the Info-cyrus
mailing list