install certificate how to

Michael Menge michael.menge at
Thu Nov 30 08:20:36 EST 2017


Quoting Nikos Gatsis - Qbit <ngatsis at>:

> Hello list
> I have a mailserver which serve about 40 virutal domains and many users
> per domain using cyrus-imapd-2.4.17-13.el7.x86_64 and
> sendmail-8.14.7-5.el7.x86_64.
> How can I install a certificate per domain? Is that possible?
> Now I use what cyrus manual suggest:
> imapd.conf:
> ...
> tls_cert_file: /var/lib/imap/server.pem
> tls_key_file: /var/lib/imap/server.pem
> 3tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
> tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
> ...

The problem with configuring multiple certificates in cyrus ist that at the
moment it would require using one IP for each domain and one imap(s)/pop(s)
service listeing only on this IP and configuring the certs and keys for
each of these service names

In /etc/cyrus.conf Services you would have

doaminaimap cmd="imapd" listen="ipa:imap"
domainaimaps cmd="imapd -s " listen="ipa:imaps"
domainbimap cmd="imapd" listen="ipb:imap"
domainbimaps cmd="imapd -s " listen="ipb:imaps"
domainzimap cmd="imapd" listen="ipz:imap"
domainzimaps cmd="imapd -s " listen="ipz:imaps"

and in /etc/imapd.conf

domainaimap_tls_cert_file: /var/lib/imap/domaina.pem
domainaimap_tls_key_file: /var/lib/imap/domaina.pem
domainaimaps_tls_cert_file: /var/lib/imap/domaina.pem
domainaimaps_tls_key_file: /var/lib/imap/domaina.pem
domainbimap_tls_cert_file: /var/lib/imap/domainb.pem
domainbimap_tls_key_file: /var/lib/imap/domainb.pem
domainbimaps_tls_cert_file: /var/lib/imap/domainb.pem
domainbimaps_tls_key_file: /var/lib/imap/domainb.pem
domainzimap_tls_cert_file: /var/lib/imap/domainz.pem
domainzimap_tls_key_file: /var/lib/imap/domainz.pem
domainzimaps_tls_cert_file: /var/lib/imap/domainz.pem
domainzimaps_tls_key_file: /var/lib/imap/domainz.pem

There is the SSL Extension SNI
which would allow to using multiple certificates on one IP, but as far  
as i know
that is only implemented by webservers and browsers, but i could be wrong and
that the mail clients will use it because the ssl libraries use this  
by default.

A few years ago i have seen thread about SNI on this list

Depending on how static your list of domains is you could also use one  
with 40 SubjectAlternativNames

> Thank you in advance,
> Nikos
> ----
> Cyrus Home Page:
> List Archives/Info:
> To Unsubscribe:

M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge at
Wächterstraße 76
72074 Tübinge

More information about the Info-cyrus mailing list