On Wed, 6 Jun 2001 15:16:59 -0400, Scott McDermott wrote:
>The answer is yes, you need a separate cert per interface. Bind qpopper
>with different conf files which specify different certs, to the
>different interfaces. xinetd makes this easy. We have the same issue
>here. You just need to use the `bind' statement and make sure you
>specify different `id's for them since the service name is no longer
>enough.
Ok, got that working. I put all 3 service blocks in the same spop3
file. I used ID's like "spop3-eth0". I found that the bind directive
requires an interface address, not an interface name.
Is there any way to deal with cnames on the interfaces? I'm running
more than one service on the box and have cnames for the services (eg.
pop3, smtp, ns). Some users use one name, some another. It looks like
Eudora doesn't canonicalize the name it connects with, and if it uses
an alias, then there will be yet another certificate hostname mismatch
error. Should clients be canonicalizing hostnames? (Is there an easier
way to get to Eudora's Cert Manager without drilling down into the
Check Mail settings?)
BTW, those wanting to create self-signed test certs for their server, I
figured out how to do this with OpenSSL: You should have a directory
/usr/share/ssl/certs containing a Makefile. This Makefile has the rules
on how to create sample SSL files, including self-signed certs. To
create a new Qpopper cert, just cd to that directory, type "make
/tmp/qpopper.pem", and answer the questions identifying your server.
(Country, state/province, city, organization, section, hostname, and
email.) I use postmaster@servername for the email address.
Ken
mailto:[EMAIL PROTECTED]
http://www.sewingwitch.com/ken/
[If answering a mailing list posting, please don't cc me your reply. I'll take my
answer on the list.]
