On May 31, 2006, at 7:20 PM, Jim Flowers wrote:
There was a thread earlier this year that noted a difficulty in
modifying dovecot to handle multiple domain certificates. This is a proposal
that may require only minor modifications.
I guess there could be some ways to kludge around this so that it
wouldn't require any major changes. But there's one problem why I
don't really want to touch this right now: imap-login process is
chrooted, so the SSL certificates etc. have to be opened before
chrooting. The connection is accepted after chrooting, so they can't
be opened at that time anymore.
So the solutions are to either read all the certificates from a
directory at startup time (which I think is a bad idea) or get the
certificates from another non-chrooted process. The latter one is
what I'm planning to do with Dovecot 2.0.
You could of course also just not run login process chrooted, but I
won't accept code into Dovecot that only works that way. :)
Alternatively, as virtual servers almost always use some form of
lookup (in my case mysql) the certificate used could be determined at time of
connection, similar to the way ssl_ca is handled. For example:user_query = SELECT '125'as uid, '125' as gid, maildir as home, '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/ dovecot.pem as priv FROM mailbox WHERE username = '%u'
In Dovecot 2.0 there's a config process which can read its
configuration from pretty much anywhere. The login process requests
the configuration after accepting connections, so you could make per-
IP settings or whatever..
user_query wouldn't anyway work because the certificate needs to be
known before username is sent.