Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great. My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account? Am I missing something obvious, or asking the impoosible?
Ben wrote:> Hey guys, I've got dovecot configured to work perfectly for virtual > users across different domains. It's great. > > My problem is that, as far as I can tell, dovecot makes me use one SSL > certificate across all my domains. That's not what I want. Is there a > way I can get dovecot to use the cert for mail.foo.com when somebody is > logging into a foo.com account, and the cert for mail.bar.com when > somebody is logging into a bar.com account? > > Am I missing something obvious, or asking the impoosible?My (admittedly very limited) understanding of how SSL certs works is, one cert is bound to one URL/IP address combination - which means you cannot use public certs for hosts that are served on the same IP address. So, you'd have to be serving the IMAP connections for each domain on separate IP addresses - OR - use a blanket self-signed wildcard cert (basically, *.* as the FQDN), although I don't know how good of an idea that is. -- Best regards, Charles
Am Mittwoch, 15. Februar 2006 19:54 schrieb Ben:> Am I missing something obvious, or asking the impoosible?It would not make much sense probably even is impossible: I don't know if IMAP supports something like SMTP's STARTTLS where you can "convert" a plain channel to an SSL protected one. (At least that's how I understood it.) Using IMAPS the SSL channel is already established before authenticating, so how should dovecot be able to select the right certificate? If there is something like STARTTLS you would have to switch to SSL after sending the login name but before sending the passwort, which probably is not supported and which would reveal the login name to any attacker anyhow... That's basically the same reasons why there can't be different https sites on the same host. (IP/port combination to be precise.) Greetings, Gunter -- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 43) Java: Internetcafe (Peter Berlich) -- http://www.iks-jena.de/mitarb/lutz/usenet/Fachbegriffe.der.Informatik.htm l#43 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + PGP-verschl?sselte Mails bevorzugt! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20060215/1a0c1764/attachment.bin>
On 15.2.2006 20:54, "Ben" <bench at silentmedia.com> wrote:> Hey guys, I've got dovecot configured to work perfectly for virtual users > across > different domains. It's great. > > My problem is that, as far as I can tell, dovecot makes me use one SSL > certificate across all my domains. That's not what I want. Is there a way I > can > get dovecot to use the cert for mail.foo.com when somebody is logging into a > foo.com account, and the cert for mail.bar.com when somebody is logging into a > bar.com account? > > Am I missing something obvious, or asking the impoosible?Like others have said, it's not possible because Dovecot doesn't know what domain you're going to log in before SSL/TLS connection is started. In theory it would be possible to set separate certificate for each IP (or port) Dovecot listens in, but currently that can't be changed either.
Ben wrote:> Hey guys, I've got dovecot configured to work perfectly for virtual > users across different domains. It's great. > > My problem is that, as far as I can tell, dovecot makes me use one SSL > certificate across all my domains. That's not what I want. Is there a > way I can get dovecot to use the cert for mail.foo.com when somebody is > logging into a foo.com account, and the cert for mail.bar.com when > somebody is logging into a bar.com account? > > Am I missing something obvious, or asking the impoosible? >Ben did you fix this one? I've traced the problem through my mail logs: Mar 22 18:16:43 tg1 dovecot: auth(default): client in: AUTH 1 PLAIN service=IMAP lip=xxx.xxx.35.122 rip=xxx.xxx.32.85 resp=AGRhbkBhbHVtaW5hdGkubmV0AHBhc3Mx Mar 22 18:16:43 tg1 dovecot: auth-worker(default): sql(dan at domain.net,xxx.xxx.32.85): query: SELECT username as user, password, mailenv as userdb_mail, uid as userdb_uid, gid as userdb_gid FROM users WHERE username = 'dan' AND domain = 'domain.net' Mar 22 18:16:43 tg1 dovecot: auth-worker(default): auth(dan at domain.net,xxx.xxx.32.85): username changed dan at domain.net -> dan Mar 22 18:16:43 tg1 dovecot: auth(default): auth(dan at domain.net,xxx.xxx.32.85): username changed dan at domain.net -> dan Mar 22 18:16:43 tg1 dovecot: auth(default): client out: OK 1 user=dan Mar 22 18:16:43 tg1 dovecot: auth(default): master in: REQUEST 1 24736 1 The line to look for says: username changed dan at domain.net -> dan After this point %d is empty which is a problem if you use it in any configuration settings (which I'm trying to do). The login now works because I use the prefetch to fetch the mail and home directory informatin out of the database (rather than dynamically work it out) but there are some other settings (ie namespaces) where I wan to use %d. Can anyone suggest how to maintain the information in %d? Particularly why does it shorten the username to "dan"? Daniel