[Dovecot] dovecot and virtual hosting
Hi.
A usual hosting provider setup depends on having one IP ("virtual mailserver") per domain. Using dovecot on servers handling hundreds or thousands of domains today equals to having multiple instances of dovecot running.
This problem could be solved by making dovecot take into account the IP address the user connects to and authenticate against the proper {database, table, pw-file, [...]} based on that.
Comments?
-- Vegard Svanberg vegard@svanberg.no [*Takapa@IRC (EFnet)]
On Wed, Jun 02, 2004 at 08:06:14PM +0200, Vegard Svanberg wrote:
A usual hosting provider setup depends on having one IP ("virtual mailserver") per domain. Using dovecot on servers handling hundreds or thousands of domains today equals to having multiple instances of dovecot running.
This problem could be solved by making dovecot take into account the IP address the user connects to and authenticate against the proper {database, table, pw-file, [...]} based on that.
Comments?
I've worked at very large ISPs, and we never did virtual hosting based on IP address; we simply made the logins unique.
some systems used logins like abc123456, where 'abc' is a prefix specific to that ISP, and '123456' is a sequence number
other systems used username@domain as the login (i.e. the primary E-mail address of the mailbox)
You would be very hard pressed these days to justify to RIPE/ARIN/APNIC that you want hundreds of IP addresses just for virtualising POP3 mailboxes (similarly FTP servers for uploading website contents).
Even migrating existing ISPs was not a problem; the logins never clashed. Perhaps we we fortunate that in the odd occasion where two different systems had been using the same prefix 'abc' for logins, that they used different ranges of sequence numbers.
Regards,
Brian.
On Wed, Jun 02, 2004 at 07:44:41PM +0100, Brian Candler wrote:
On Wed, Jun 02, 2004 at 08:06:14PM +0200, Vegard Svanberg wrote:
A usual hosting provider setup depends on having one IP ("virtual mailserver") per domain. Using dovecot on servers handling hundreds or thousands of domains today equals to having multiple instances of dovecot running.
This problem could be solved by making dovecot take into account the IP address the user connects to and authenticate against the proper {database, table, pw-file, [...]} based on that.
Comments?
I've worked at very large ISPs, and we never did virtual hosting based on IP address; we simply made the logins unique.
Just because you don't use it, doesn't mean that others won't. For example, my employer manages thousands of virtual services distinguished by IP address for which some of the protocols (e.g. SSL, anonymous FTP) are virtualized by IP, and POP3 virtualization piggybacks on that just because it can.
We then support user@domain for those cases where the customer simply doesn't want SSL or virtual anon FTP.
I think it's a good idea. Do you have patches, Vegard?
Joshua.
-- Joshua Goodall "as modern as tomorrow afternoon" joshua@roughtrade.net - FW109
On Thu, Jun 03, 2004 at 11:42:00AM +1000, Joshua Goodall wrote:
Just because you don't use it, doesn't mean that others won't.
That's true. All I meant was, when choosing where to expend development effort, perhaps it would be better to defer working on things which are arguably bad practice in the first place, and for which workarounds already exist (i.e. in this case bind a separate server instance to each IP address).
Now, if you weren't worried about disambiguating usernames, but wanted to select a different certificate for POP3/IMAP over TLS for each virtual domain, then I'd have more sympathy. It's a huge shame that the POP3/IMAP S(TART)TLS commands don't give a way to select a certificate before negotiating TLS. HTTP now does (RFC2817), although I don't know how widely that's implemented.
In our case, those people who used TLS for POP3 weren't willing to pay for their own certificate, so they were happy to share ours (they got a 'certificate name mismatch' but otherwise had a valid signed certificate; that's better than having a self-signed certificate)
However, if all you're trying to do is have POP3 users 'fred' connecting to pop3.domain1.com and 'fred' connecting to pop3.domain2.com be unambiguous, then I really can't sympathise. You really should be making all these users login as 'fred@domain1.com' and 'fred@domain2.com', even if you happen to have different IP addresses available for pop3.domain1.com and pop3.domain2.com; it's no harder for the end-user to configure, and it's shortsighted not to. You'll regret it one day.
Cheers,
Brian.
On 2.6.2004, at 21:06, Vegard Svanberg wrote:
This problem could be solved by making dovecot take into account the IP address the user connects to and authenticate against the proper {database, table, pw-file, [...]} based on that.
1.0-test14 has code to do this, %l variable. Works only with SQL and LDAP databases, I'm not sure if I should bother supporting it with others..
participants (4)
-
Brian Candler
-
Joshua Goodall
-
Timo Sirainen
-
Vegard Svanberg