install certificate how to
Michael Menge
michael.menge at zdv.uni-tuebingen.de
Thu Nov 30 08:20:36 EST 2017
Hi,
Quoting Nikos Gatsis - Qbit <ngatsis at qbit.gr>:
> Hello list
> I have a mailserver which serve about 40 virutal domains and many users
> per domain using cyrus-imapd-2.4.17-13.el7.x86_64 and
> sendmail-8.14.7-5.el7.x86_64.
> How can I install a certificate per domain? Is that possible?
>
> Now I use what cyrus manual suggest:
>
> imapd.conf:
> ...
> tls_cert_file: /var/lib/imap/server.pem
> tls_key_file: /var/lib/imap/server.pem
> 3tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> ...
>
The problem with configuring multiple certificates in cyrus ist that at the
moment it would require using one IP for each domain and one imap(s)/pop(s)
service listeing only on this IP and configuring the certs and keys for
each of these service names
In /etc/cyrus.conf Services you would have
doaminaimap cmd="imapd" listen="ipa:imap"
domainaimaps cmd="imapd -s " listen="ipa:imaps"
domainbimap cmd="imapd" listen="ipb:imap"
domainbimaps cmd="imapd -s " listen="ipb:imaps"
...
domainzimap cmd="imapd" listen="ipz:imap"
domainzimaps cmd="imapd -s " listen="ipz:imaps"
and in /etc/imapd.conf
domainaimap_tls_cert_file: /var/lib/imap/domaina.pem
domainaimap_tls_key_file: /var/lib/imap/domaina.pem
domainaimaps_tls_cert_file: /var/lib/imap/domaina.pem
domainaimaps_tls_key_file: /var/lib/imap/domaina.pem
domainbimap_tls_cert_file: /var/lib/imap/domainb.pem
domainbimap_tls_key_file: /var/lib/imap/domainb.pem
domainbimaps_tls_cert_file: /var/lib/imap/domainb.pem
domainbimaps_tls_key_file: /var/lib/imap/domainb.pem
...
domainzimap_tls_cert_file: /var/lib/imap/domainz.pem
domainzimap_tls_key_file: /var/lib/imap/domainz.pem
domainzimaps_tls_cert_file: /var/lib/imap/domainz.pem
domainzimaps_tls_key_file: /var/lib/imap/domainz.pem
There is the SSL Extension SNI
https://de.wikipedia.org/wiki/Server_Name_Indication
which would allow to using multiple certificates on one IP, but as far
as i know
that is only implemented by webservers and browsers, but i could be wrong and
that the mail clients will use it because the ssl libraries use this
extensions
by default.
A few years ago i have seen thread about SNI on this list
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-July/thread.html#37461
Depending on how static your list of domains is you could also use one
certificate
with 40 SubjectAlternativNames
> Thank you in advance,
> Nikos
>
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
--------------------------------------------------------------------------------
M.Menge Tel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.menge at zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübinge
More information about the Info-cyrus
mailing list