On May 31, 2006, at 7:20 PM, Jim Flowers wrote:> There was a thread earlier this year that noted a difficulty in > modifying > dovecot to handle multiple domain certificates. This is a proposal > that may > require only minor modifications.I guess there could be some ways to kludge around this so that it wouldn't require any major changes. But there's one problem why I don't really want to touch this right now: imap-login process is chrooted, so the SSL certificates etc. have to be opened before chrooting. The connection is accepted after chrooting, so they can't be opened at that time anymore. So the solutions are to either read all the certificates from a directory at startup time (which I think is a bad idea) or get the certificates from another non-chrooted process. The latter one is what I'm planning to do with Dovecot 2.0. You could of course also just not run login process chrooted, but I won't accept code into Dovecot that only works that way. :)> Alternatively, as virtual servers almost always use some form of > lookup (in my > case mysql) the certificate used could be determined at time of > connection, > similar to the way ssl_ca is handled. For example: > > user_query = SELECT '125'as uid, '125' as gid, maildir as home, > '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/ > dovecot.pem > as priv FROM mailbox WHERE username = '%u'In Dovecot 2.0 there's a config process which can read its configuration from pretty much anywhere. The login process requests the configuration after accepting connections, so you could make per- IP settings or whatever.. user_query wouldn't anyway work because the certificate needs to be known before username is sent. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20060531/205599d4/attachment.bin>
There was a thread earlier this year that noted a difficulty in modifying
dovecot to handle multiple domain certificates. This is a proposal that may
require only minor modifications.
Virtual domains can be set up with a unique ip address for each server;
mail.domain1.tld ###.###.###.1, mail.domain2.tld ###.###.###.2, etc. Users
are instructed to enter 'mail.domain?.tld' for their imap server.
When an SSL TCP connection is established on port 993, the server program will
know the IP # that was used for the connection and can use getnameinfo to
extract the domain name (%d). This can then be used to build a specific
reference to the certificate to be used, prior to responding to CLIENT_HELLO.
Something like /etc/ssl/%d/[certs|private]/dovecot.pem
One technique would be to include this in multiple dovecot.conf listen
parameters read on startup, similar to tpop3d:
listen = ###.###.###.1:993(domain1.tld);tls=stls,\
/etc/ssl/domain1.tld/certs/dovecot.pem,\
/etc/ssl/domain1.tld/private/dovecot.pem
listen = ###.###.###.2:993(domain2.tld);tls=stls,\
/etc/ssl/domain2.tld/certs/dovecot.pem,\
/etc/ssl/domain2.tld/private/dovecot.pem
Alternatively, as virtual servers almost always use some form of lookup (in my
case mysql) the certificate used could be determined at time of connection,
similar to the way ssl_ca is handled. For example:
user_query = SELECT '125'as uid, '125' as gid, maildir as home,
'/etc/ssl/%d/certs/dovecot.pem' as cert,
'/etc/ssl/%d/private/dovecot.pem
as priv FROM mailbox WHERE username = '%u'
In this manner the certificate returned would match the server ip/FQDN and can
also be customized for the specific domain involved. Seeing their own domain
name as the CN for both the certificate and CA goes a long way to establish
credibility for most secure email users.
Could this be done?
--
Jim Flowers<jflowers at ezo.net>