Re: Multiple SSL Certs with virtual domains?
On Thu, January 21, 2010 10:35 am, Scott Lambert wrote: I am about to bring up the second of several virtual domains on my Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem to come up with a useful search string for finding posts talking about using multiple secure certificates for POP/IMAP connections to mail.domain1.com and mail.domainN.com. We are rolling up multiple small mail servers into one host. The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SNIP Scott, It sure looks pretty elegant to me :-) We (two domains, 65,000 users) have been running this type of Cyrus config for over three years now. Another, far less appealing, approach is to use certificates containing alternates but this forces you to re-install them when a new domain is added and, on top of it : certain versions of a much used mail client of a well known Redmond, WA company have troubles accepting multi-domain certificates. Regards, Eric Luyten, Computing Centre VUB/ULB, postmaster. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
Hi,
Quoting Scott Lambert lamb...@lambertfam.org:
I am about to bring up the second of several virtual domains on my
Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem
to come up with a useful search string for finding posts talking
about using multiple secure certificates for POP/IMAP connections to
mail.domain1.com and mail.domainN.com. We are rolling up multiple small
mail servers into one host.
The only thing I've been able to figure is that I will need to at least
have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
lines in cyrus.conf for each domain so that the secure certs can match
the hostname configured in the user's existing mail program.
Is there a more elegant method than something like the below plan?
SERVICES {
# add or remove based on preferences
imapcmd=imapd -C imapd-domain1.conf
listen=mail.domain1.com:imap
imapscmd=imapd -s -C imapd-domain1.conf
listen=mail.domain1.com:imaps
pop3cmd=pop3d -C imapd-domain1.conf
listen=mail.domain1.com:pop3
pop3scmd=pop3d -s -C imapd-domain1.conf
listen=mail.domain1.com:pop3s
imapcmd=imapd -C imapd-domain2.conf
listen=mail.domain2.com:imap
imapscmd=imapd -s -C imapd-domain2.conf
listen=mail.domain2.com:imaps
pop3cmd=pop3d -C imapd-domain2.conf
listen=mail.domain2.com:pop3
pop3scmd=pop3d -s -C imapd-domain2.conf
listen=mail.domain2.com:pop3s
...
imapcmd=imapd -C imapd-domainN.conf
listen=mail.domainN.com:imap
imapscmd=imapd -s -C imapd-domainN.conf
listen=mail.domainN.com:imaps
pop3cmd=pop3d -C imapd-domainN.conf
listen=mail.domainN.com:pop3
pop3scmd=pop3d -s -C imapd-domainN.conf
listen=mail.domainN.com:pop3s
sieve cmd=timsieved listen=sieve prefork=0
lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0
}
You have to use different service name. Each service name may only
apeare once.
M.MengeTel.: (49) 7071/29-70316
Universität Tübingen Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail:
michael.me...@zdv.uni-tuebingen.de
Wächterstraße 76
72074 Tübingen
smime.p7s
Description: S/MIME Signatur
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On Thu, January 21, 2010 11:27 am, Michael Menge wrote:
Hi,
Quoting Scott Lambert lamb...@lambertfam.org:
I am about to bring up the second of several virtual domains on my
Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem
to come up with a useful search string for finding posts talking about using
multiple secure certificates for POP/IMAP connections to mail.domain1.com
and mail.domainN.com. We are rolling up multiple small mail servers into
one host.
The only thing I've been able to figure is that I will need to at least
have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
lines in cyrus.conf for each domain so that the secure certs can match the
hostname configured in the user's existing mail program.
Is there a more elegant method than something like the below plan?
SERVICES {
# add or remove based on preferences
imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap
imapscmd=imapd -s -C imapd-domain1.conf
listen=mail.domain1.com:imaps
pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3
pop3scmd=pop3d -s -C imapd-domain1.conf
listen=mail.domain1.com:pop3s
imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap
imapscmd=imapd -s -C imapd-domain2.conf
listen=mail.domain2.com:imaps
pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3
pop3scmd=pop3d -s -C imapd-domain2.conf
listen=mail.domain2.com:pop3s
...
imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap
imapscmd=imapd -s -C imapd-domainN.conf
listen=mail.domainN.com:imaps
pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3
pop3scmd=pop3d -s -C imapd-domainN.conf
listen=mail.domainN.com:pop3s
sieve cmd=timsieved listen=sieve prefork=0
lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 }
You have to use different service name. Each service name may only
apeare once.
Correct (I overlooked that, but it would have become pretty obvious when
starting Cyrus :-)
As an aside, this will enable you to attribute log lines to the correct
service, since Cyrus syslogs to one and the same facility.
Eric.
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On 21/01/10 03:35 -0600, Scott Lambert wrote:
I am about to bring up the second of several virtual domains on my
Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem
to come up with a useful search string for finding posts talking
about using multiple secure certificates for POP/IMAP connections to
mail.domain1.com and mail.domainN.com. We are rolling up multiple small
mail servers into one host.
The only thing I've been able to figure is that I will need to at least
have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
lines in cyrus.conf for each domain so that the secure certs can match
the hostname configured in the user's existing mail program.
Is there a more elegant method than something like the below plan?
SERVICES {
# add or remove based on preferences
imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap
imapscmd=imapd -s -C imapd-domain1.conf
listen=mail.domain1.com:imaps
pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3
pop3scmd=pop3d -s -C imapd-domain1.conf
listen=mail.domain1.com:pop3s
imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap
imapscmd=imapd -s -C imapd-domain2.conf
listen=mail.domain2.com:imaps
pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3
pop3scmd=pop3d -s -C imapd-domain2.conf
listen=mail.domain2.com:pop3s
...
imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap
imapscmd=imapd -s -C imapd-domainN.conf
listen=mail.domainN.com:imaps
pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3
pop3scmd=pop3d -s -C imapd-domainN.conf
listen=mail.domainN.com:pop3s
sieve cmd=timsieved listen=sieve prefork=0
lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0
Scott,
You won't need to specify alternative imapd.conf configurations.
You can specify [servicename]_tls_cert_file, etc. within your primary
imapd.conf so that you have something like:
imap_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imap_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
imaps_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem
imaps_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key
pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key
pop3s_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem
pop3s_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key
imapb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
imapsb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem
imapsb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key
pop3b_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3b_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key
pop3sb_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem
pop3sb_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key
and in cyrus.conf you'd have service names like:
imap
imaps
pop3
pop3s
imapb
imapsb
pop3b
pop3sb
This is documented in:
http://cyrusimap.web.cmu.edu/imapd/install-configure.html
--
Dan White
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On Thu, Jan 21, 2010 at 11:36:02AM +0100, Eric Luyten wrote:
On Thu, January 21, 2010 11:27 am, Michael Menge wrote:
Hi,
Quoting Scott Lambert lamb...@lambertfam.org:
The only thing I've been able to figure is that I will need to at least
have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s)
lines in cyrus.conf for each domain so that the secure certs can match the
hostname configured in the user's existing mail program.
Is there a more elegant method than something like the below plan?
SERVICES {
# add or remove based on preferences
imapcmd=imapd -C imapd-domain1.conf
listen=mail.domain1.com:imap
imapscmd=imapd -s -C imapd-domain1.conf
listen=mail.domain1.com:imaps
pop3cmd=pop3d -C imapd-domain1.conf
listen=mail.domain1.com:pop3
pop3scmd=pop3d -s -C imapd-domain1.conf
listen=mail.domain1.com:pop3s
imapcmd=imapd -C imapd-domain2.conf
listen=mail.domain2.com:imap
imapscmd=imapd -s -C imapd-domain2.conf
listen=mail.domain2.com:imaps
pop3cmd=pop3d -C imapd-domain2.conf
listen=mail.domain2.com:pop3
pop3scmd=pop3d -s -C imapd-domain2.conf
listen=mail.domain2.com:pop3s
...
imapcmd=imapd -C imapd-domainN.conf
listen=mail.domainN.com:imap
imapscmd=imapd -s -C imapd-domainN.conf
listen=mail.domainN.com:imaps
pop3cmd=pop3d -C imapd-domainN.conf
listen=mail.domainN.com:pop3
pop3scmd=pop3d -s -C imapd-domainN.conf
listen=mail.domainN.com:pop3s
sieve cmd=timsieved listen=sieve prefork=0
lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 }
You have to use different service name. Each service name may only
apeare once.
That seems obvious, now that you have pointed it out. ;-) Perhaps my
reading comprehension needs work, but I don't see the requirement
of uniqueness of the name parameter spelled out in cyrus.conf(5).
Perhaps I should build a documentation patch to help other people as dense as
me assuming such people exist. :-)
Correct (I overlooked that, but it would have become pretty obvious when
starting Cyrus :-)
Actually, no errors were shown... But I did have a problem I couldn't
figure out.
I initially had prefork=5 for the non-SSL wrapped entries. After a
couple of minutes I had many sockets in FIN_WAIT_1 and FIN_WAIT_2 and
CLOSED and CLOSED_WAIT status. After about 10 minutes, none of the
services were responding quickly enough for Nagios.
After I took out the prefork entries, the services on domain1 behaved
nicely. The services on [127.0.0.1]:(110|143) and domain2:* took 20
to 60 seconds to display the banner. The delay was highly variable.
I couldn't find any errors in imap.log. But it's run several hours
without angering Nagios for domain1.
As an aside, this will enable you to attribute log lines to the correct
service, since Cyrus syslogs to one and the same facility.
Ah, very nice. I was looking for any indications such as that in the
logs this morning.
--
Scott LambertKC5MLE Unix SysAdmin
lamb...@lambertfam.org
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
