Re: Multiple SSL Certs with virtual domains?
On Thu, January 21, 2010 10:35 am, Scott Lambert wrote: I am about to bring up the second of several virtual domains on my Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem to come up with a useful search string for finding posts talking about using multiple secure certificates for POP/IMAP connections to mail.domain1.com and mail.domainN.com. We are rolling up multiple small mail servers into one host. The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SNIP Scott, It sure looks pretty elegant to me :-) We (two domains, 65,000 users) have been running this type of Cyrus config for over three years now. Another, far less appealing, approach is to use certificates containing alternates but this forces you to re-install them when a new domain is added and, on top of it : certain versions of a much used mail client of a well known Redmond, WA company have troubles accepting multi-domain certificates. Regards, Eric Luyten, Computing Centre VUB/ULB, postmaster. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
Hi, Quoting Scott Lambert lamb...@lambertfam.org: I am about to bring up the second of several virtual domains on my Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem to come up with a useful search string for finding posts talking about using multiple secure certificates for POP/IMAP connections to mail.domain1.com and mail.domainN.com. We are rolling up multiple small mail servers into one host. The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SERVICES { # add or remove based on preferences imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap imapscmd=imapd -s -C imapd-domain1.conf listen=mail.domain1.com:imaps pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3 pop3scmd=pop3d -s -C imapd-domain1.conf listen=mail.domain1.com:pop3s imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap imapscmd=imapd -s -C imapd-domain2.conf listen=mail.domain2.com:imaps pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3 pop3scmd=pop3d -s -C imapd-domain2.conf listen=mail.domain2.com:pop3s ... imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap imapscmd=imapd -s -C imapd-domainN.conf listen=mail.domainN.com:imaps pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3 pop3scmd=pop3d -s -C imapd-domainN.conf listen=mail.domainN.com:pop3s sieve cmd=timsieved listen=sieve prefork=0 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 } You have to use different service name. Each service name may only apeare once. M.MengeTel.: (49) 7071/29-70316 Universität Tübingen Fax.: (49) 7071/29-5912 Zentrum für Datenverarbeitung mail: michael.me...@zdv.uni-tuebingen.de Wächterstraße 76 72074 Tübingen smime.p7s Description: S/MIME Signatur Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On Thu, January 21, 2010 11:27 am, Michael Menge wrote: Hi, Quoting Scott Lambert lamb...@lambertfam.org: I am about to bring up the second of several virtual domains on my Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem to come up with a useful search string for finding posts talking about using multiple secure certificates for POP/IMAP connections to mail.domain1.com and mail.domainN.com. We are rolling up multiple small mail servers into one host. The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SERVICES { # add or remove based on preferences imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap imapscmd=imapd -s -C imapd-domain1.conf listen=mail.domain1.com:imaps pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3 pop3scmd=pop3d -s -C imapd-domain1.conf listen=mail.domain1.com:pop3s imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap imapscmd=imapd -s -C imapd-domain2.conf listen=mail.domain2.com:imaps pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3 pop3scmd=pop3d -s -C imapd-domain2.conf listen=mail.domain2.com:pop3s ... imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap imapscmd=imapd -s -C imapd-domainN.conf listen=mail.domainN.com:imaps pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3 pop3scmd=pop3d -s -C imapd-domainN.conf listen=mail.domainN.com:pop3s sieve cmd=timsieved listen=sieve prefork=0 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 } You have to use different service name. Each service name may only apeare once. Correct (I overlooked that, but it would have become pretty obvious when starting Cyrus :-) As an aside, this will enable you to attribute log lines to the correct service, since Cyrus syslogs to one and the same facility. Eric. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On 21/01/10 03:35 -0600, Scott Lambert wrote: I am about to bring up the second of several virtual domains on my Cyrus-IMAPd 2.3.15 installation. I've been Googling but can't seem to come up with a useful search string for finding posts talking about using multiple secure certificates for POP/IMAP connections to mail.domain1.com and mail.domainN.com. We are rolling up multiple small mail servers into one host. The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SERVICES { # add or remove based on preferences imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap imapscmd=imapd -s -C imapd-domain1.conf listen=mail.domain1.com:imaps pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3 pop3scmd=pop3d -s -C imapd-domain1.conf listen=mail.domain1.com:pop3s imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap imapscmd=imapd -s -C imapd-domain2.conf listen=mail.domain2.com:imaps pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3 pop3scmd=pop3d -s -C imapd-domain2.conf listen=mail.domain2.com:pop3s ... imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap imapscmd=imapd -s -C imapd-domainN.conf listen=mail.domainN.com:imaps pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3 pop3scmd=pop3d -s -C imapd-domainN.conf listen=mail.domainN.com:pop3s sieve cmd=timsieved listen=sieve prefork=0 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 Scott, You won't need to specify alternative imapd.conf configurations. You can specify [servicename]_tls_cert_file, etc. within your primary imapd.conf so that you have something like: imap_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem imap_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key imaps_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain1.pem imaps_tls_key_file: /etc/ssl/private/cyrus-imap-domain1.key pop3_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem pop3_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key pop3s_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain1.pem pop3s_tls_key_file: /etc/ssl/private/cyrus-pop3-domain1.key imapb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem imapb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key imapsb_tls_cert_file: /etc/ssl/certs/cyrus-imap-domain2.pem imapsb_tls_key_file: /etc/ssl/private/cyrus-imap-domain2.key pop3b_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem pop3b_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key pop3sb_tls_cert_file: /etc/ssl/certs/cyrus-pop3-domain2.pem pop3sb_tls_key_file: /etc/ssl/private/cyrus-pop3-domain2.key and in cyrus.conf you'd have service names like: imap imaps pop3 pop3s imapb imapsb pop3b pop3sb This is documented in: http://cyrusimap.web.cmu.edu/imapd/install-configure.html -- Dan White Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Multiple SSL Certs with virtual domains?
On Thu, Jan 21, 2010 at 11:36:02AM +0100, Eric Luyten wrote: On Thu, January 21, 2010 11:27 am, Michael Menge wrote: Hi, Quoting Scott Lambert lamb...@lambertfam.org: The only thing I've been able to figure is that I will need to at least have multiple imapd-domainX.conf files and have multiple pop3(s)/imap(s) lines in cyrus.conf for each domain so that the secure certs can match the hostname configured in the user's existing mail program. Is there a more elegant method than something like the below plan? SERVICES { # add or remove based on preferences imapcmd=imapd -C imapd-domain1.conf listen=mail.domain1.com:imap imapscmd=imapd -s -C imapd-domain1.conf listen=mail.domain1.com:imaps pop3cmd=pop3d -C imapd-domain1.conf listen=mail.domain1.com:pop3 pop3scmd=pop3d -s -C imapd-domain1.conf listen=mail.domain1.com:pop3s imapcmd=imapd -C imapd-domain2.conf listen=mail.domain2.com:imap imapscmd=imapd -s -C imapd-domain2.conf listen=mail.domain2.com:imaps pop3cmd=pop3d -C imapd-domain2.conf listen=mail.domain2.com:pop3 pop3scmd=pop3d -s -C imapd-domain2.conf listen=mail.domain2.com:pop3s ... imapcmd=imapd -C imapd-domainN.conf listen=mail.domainN.com:imap imapscmd=imapd -s -C imapd-domainN.conf listen=mail.domainN.com:imaps pop3cmd=pop3d -C imapd-domainN.conf listen=mail.domainN.com:pop3 pop3scmd=pop3d -s -C imapd-domainN.conf listen=mail.domainN.com:pop3s sieve cmd=timsieved listen=sieve prefork=0 lmtpunix cmd=lmtpd listen=/var/imap/socket/lmtp prefork=0 } You have to use different service name. Each service name may only apeare once. That seems obvious, now that you have pointed it out. ;-) Perhaps my reading comprehension needs work, but I don't see the requirement of uniqueness of the name parameter spelled out in cyrus.conf(5). Perhaps I should build a documentation patch to help other people as dense as me assuming such people exist. :-) Correct (I overlooked that, but it would have become pretty obvious when starting Cyrus :-) Actually, no errors were shown... But I did have a problem I couldn't figure out. I initially had prefork=5 for the non-SSL wrapped entries. After a couple of minutes I had many sockets in FIN_WAIT_1 and FIN_WAIT_2 and CLOSED and CLOSED_WAIT status. After about 10 minutes, none of the services were responding quickly enough for Nagios. After I took out the prefork entries, the services on domain1 behaved nicely. The services on [127.0.0.1]:(110|143) and domain2:* took 20 to 60 seconds to display the banner. The delay was highly variable. I couldn't find any errors in imap.log. But it's run several hours without angering Nagios for domain1. As an aside, this will enable you to attribute log lines to the correct service, since Cyrus syslogs to one and the same facility. Ah, very nice. I was looking for any indications such as that in the logs this morning. -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html