[Dovecot] imaps multiple domains proposal
Jim Flowers
jflowers at ezo.net
Wed May 31 19:20:16 EEST 2006
There was a thread earlier this year that noted a difficulty in modifying
dovecot to handle multiple domain certificates. This is a proposal that may
require only minor modifications.
Virtual domains can be set up with a unique ip address for each server;
mail.domain1.tld ###.###.###.1, mail.domain2.tld ###.###.###.2, etc. Users
are instructed to enter 'mail.domain?.tld' for their imap server.
When an SSL TCP connection is established on port 993, the server program will
know the IP # that was used for the connection and can use getnameinfo to
extract the domain name (%d). This can then be used to build a specific
reference to the certificate to be used, prior to responding to CLIENT_HELLO.
Something like /etc/ssl/%d/[certs|private]/dovecot.pem
One technique would be to include this in multiple dovecot.conf listen
parameters read on startup, similar to tpop3d:
listen = ###.###.###.1:993(domain1.tld);tls=stls,\
/etc/ssl/domain1.tld/certs/dovecot.pem,\
/etc/ssl/domain1.tld/private/dovecot.pem
listen = ###.###.###.2:993(domain2.tld);tls=stls,\
/etc/ssl/domain2.tld/certs/dovecot.pem,\
/etc/ssl/domain2.tld/private/dovecot.pem
Alternatively, as virtual servers almost always use some form of lookup (in my
case mysql) the certificate used could be determined at time of connection,
similar to the way ssl_ca is handled. For example:
user_query = SELECT '125'as uid, '125' as gid, maildir as home,
'/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/dovecot.pem
as priv FROM mailbox WHERE username = '%u'
In this manner the certificate returned would match the server ip/FQDN and can
also be customized for the specific domain involved. Seeing their own domain
name as the CN for both the certificate and CA goes a long way to establish
credibility for most secure email users.
Could this be done?
--
Jim Flowers<jflowers at ezo.net>
More information about the dovecot
mailing list