PGNet Dev
2009-Oct-07 02:05 UTC
[Dovecot] how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?
at them moment, i've configured dovecot for a flat passwd-file, annd static userdb. from dovecot.conf, ... auth default { mechanisms = plain digest-md5 cram-md5 user = mail ... passdb passwd-file { args = /data/mail/users/imap_user_file } userdb static { args = static uid=mail gid=mail home=/data/mail/store/Domains/%d/Accounts/%n quota=maildir:storage=4096 nice=10 } ... i'd like to configure dovecot to, host multiple domains, each on a separate IP setup a separate SSL cert for each domain respond with a different login_greeting for each domain restrict access to, and access type (e.g., TLS req'd vs noTLS, secure auth OK) of, imap login based with conditional rules based on the guest's IP address. all of these things are currently implemented on the non-dovecot imap server i'm migrating _from_, and i'd like to preserve these capabilities. can any/all of these be accomplished with a passwd-file flatfile lookup? i know i can restrict IP access in passwd-file with 'allow_nets=', but atm i'm unclear how i'd do that for multiple domains, etc. i understand that much can be accomplished with custom SQL queries, but for a small install would _prefer_ to stay flat file. i'm finding bits & pieces of capability in docs, etc -- but, so far, nothing comprehensive/all-inclusive. which makes me wonder a bit -- why not? any comments/advice would be much appreciated. thanks!
Ed W
2009-Oct-09 12:04 UTC
[Dovecot] how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?
PGNet Dev wrote:> i'd like to configure dovecot to, > > host multiple domains, each on a separate IP > setup a separate SSL cert for each domain > respond with a different login_greeting for each domain > restrict access to, and access type (e.g., TLS req'd vs noTLS, > secure auth OK) of, imap login based with conditional rules based on > the guest's IP address. >Sensible goals, but somewhere down the path it's going to get awkward for various reasons. One of the things I have toyed with is simply naming the servers something more generic and then using a single set of servers for all domains. The point of the slightly obscure generic domain name is that it doesn't then annoy anyone in particular that the server is named under their competitor's name or whatever.... Depends how technical the users are, but I would have thought it was fairly rare for people to be investigating and moaning about reverse dns or banners? This potentially saves you a lot of IPs and makes managing multiple hosts a lot easier? Not what you asked, but hopefully an interesting option Good luck Ed W
Timo Sirainen
2009-Oct-09 15:34 UTC
[Dovecot] how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?
On Oct 6, 2009, at 10:05 PM, PGNet Dev wrote:> i'd like to configure dovecot to, > > host multiple domains, each on a separate IP > setup a separate SSL cert for each domain > respond with a different login_greeting for each domain > restrict access to, and access type (e.g., TLS req'd vs noTLS, > secure auth OK) of, imap login based with conditional rules based on > the guest's IP address.Unfortunately Dovecot v1.x can't do any of this, except for "tls required/not required" part. Upcoming Dovecot v2.0 could do all of this though. For now you'd have to run a separate Dovecot instance with a separate config file for each such IP. Or, of course, Dovecot v2.0 alpha1 should be out pretty soon and testers are always appreciated. :) In v2.0 you can do things like: local_ip 1.2.3.4 { ssl_cert_file = </etc/ssl/certs/domain.org login_greeting = blahblah } remote_ip 192.168.0.0/16 { # ... }