dovecot - Oct 2009 - how to config dovecot for multiple domains, multiple SSL certs, and conditional IP access -- with passwd-file passdb?

at them moment, i've configured dovecot for a flat passwd-file, annd
static userdb.  from dovecot.conf,

  ...
  auth default {
	mechanisms = plain digest-md5 cram-md5
	user = mail
        ...
	passdb passwd-file {
	  args = /data/mail/users/imap_user_file
	}
	userdb static {
	  args = static uid=mail gid=mail
home=/data/mail/store/Domains/%d/Accounts/%n
quota=maildir:storage=4096 nice=10
	}
	...

i'd like to configure dovecot to,

  host multiple domains, each on a separate IP
  setup a separate SSL cert for each domain
  respond with a different login_greeting for each domain
  restrict access to, and access type (e.g., TLS req'd vs noTLS,
secure auth OK) of, imap login based with conditional rules based on
the guest's IP address.

all of these things are currently implemented on the non-dovecot imap
server i'm migrating _from_, and i'd like to preserve these
capabilities.

can any/all of these be accomplished with a passwd-file flatfile
lookup?  i know i can restrict IP access in passwd-file with
'allow_nets=', but atm i'm unclear how i'd do that for multiple
domains, etc.

i understand that much can be accomplished with custom SQL queries,
but for a small install would _prefer_ to stay flat file.  i'm finding
bits & pieces of capability in docs, etc -- but, so far, nothing
comprehensive/all-inclusive.  which makes me wonder a bit -- why not?

any comments/advice would be much appreciated.

thanks!

PGNet Dev wrote:
> i'd like to configure dovecot to,
>
>   host multiple domains, each on a separate IP
>   setup a separate SSL cert for each domain
>   respond with a different login_greeting for each domain
>   restrict access to, and access type (e.g., TLS req'd vs noTLS,
> secure auth OK) of, imap login based with conditional rules based on
> the guest's IP address.
>   

Sensible goals, but somewhere down the path it's going to get awkward 
for various reasons.

One of the things I have toyed with is simply naming the servers 
something more generic and then using a single set of servers for all 
domains.  The point of the slightly obscure generic domain name is that 
it doesn't then annoy anyone in particular that the server is named 
under their competitor's name or whatever....  Depends how technical the 
users are, but I would have thought it was fairly rare for people to be 
investigating and moaning about reverse dns or banners?

This potentially saves you a lot of IPs and makes managing multiple 
hosts a lot easier?  Not what you asked, but hopefully an interesting option

Good luck

Ed W

On Oct 6, 2009, at 10:05 PM, PGNet Dev wrote:
> i'd like to configure dovecot to,
>
>  host multiple domains, each on a separate IP
>  setup a separate SSL cert for each domain
>  respond with a different login_greeting for each domain
>  restrict access to, and access type (e.g., TLS req'd vs noTLS,
> secure auth OK) of, imap login based with conditional rules based on
> the guest's IP address.
Unfortunately Dovecot v1.x can't do any of this, except for "tls  
required/not required" part. Upcoming Dovecot v2.0 could do all of  
this though. For now you'd have to run a separate Dovecot instance  
with a separate config file for each such IP. Or, of course, Dovecot  
v2.0 alpha1 should be out pretty soon and testers are always  
appreciated. :)

In v2.0 you can do things like:

local_ip 1.2.3.4 {
   ssl_cert_file = </etc/ssl/certs/domain.org
   login_greeting = blahblah
}
remote_ip 192.168.0.0/16 {
   # ...
}