[Dovecot] imaps multiple domains proposal
There was a thread earlier this year that noted a difficulty in modifying dovecot to handle multiple domain certificates. This is a proposal that may require only minor modifications.
Virtual domains can be set up with a unique ip address for each server; mail.domain1.tld ###.###.###.1, mail.domain2.tld ###.###.###.2, etc. Users are instructed to enter 'mail.domain?.tld' for their imap server.
When an SSL TCP connection is established on port 993, the server program will know the IP # that was used for the connection and can use getnameinfo to extract the domain name (%d). This can then be used to build a specific reference to the certificate to be used, prior to responding to CLIENT_HELLO. Something like /etc/ssl/%d/[certs|private]/dovecot.pem
One technique would be to include this in multiple dovecot.conf listen parameters read on startup, similar to tpop3d:
listen = ###.###.###.1:993(domain1.tld);tls=stls,\
/etc/ssl/domain1.tld/certs/dovecot.pem,\
/etc/ssl/domain1.tld/private/dovecot.pem
listen = ###.###.###.2:993(domain2.tld);tls=stls,\
/etc/ssl/domain2.tld/certs/dovecot.pem,\
/etc/ssl/domain2.tld/private/dovecot.pemAlternatively, as virtual servers almost always use some form of lookup (in my case mysql) the certificate used could be determined at time of connection, similar to the way ssl_ca is handled. For example:
user_query = SELECT '125'as uid, '125' as gid, maildir as home, '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/dovecot.pem as priv FROM mailbox WHERE username = '%u'
In this manner the certificate returned would match the server ip/FQDN and can also be customized for the specific domain involved. Seeing their own domain name as the CN for both the certificate and CA goes a long way to establish credibility for most secure email users.
Could this be done?
-- Jim Flowersjflowers@ezo.net
On May 31, 2006, at 7:20 PM, Jim Flowers wrote:
There was a thread earlier this year that noted a difficulty in
modifying dovecot to handle multiple domain certificates. This is a proposal
that may require only minor modifications.
I guess there could be some ways to kludge around this so that it
wouldn't require any major changes. But there's one problem why I
don't really want to touch this right now: imap-login process is
chrooted, so the SSL certificates etc. have to be opened before
chrooting. The connection is accepted after chrooting, so they can't
be opened at that time anymore.
So the solutions are to either read all the certificates from a
directory at startup time (which I think is a bad idea) or get the
certificates from another non-chrooted process. The latter one is
what I'm planning to do with Dovecot 2.0.
You could of course also just not run login process chrooted, but I
won't accept code into Dovecot that only works that way. :)
Alternatively, as virtual servers almost always use some form of
lookup (in my case mysql) the certificate used could be determined at time of
connection, similar to the way ssl_ca is handled. For example:user_query = SELECT '125'as uid, '125' as gid, maildir as home, '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/ dovecot.pem as priv FROM mailbox WHERE username = '%u'
In Dovecot 2.0 there's a config process which can read its
configuration from pretty much anywhere. The login process requests
the configuration after accepting connections, so you could make per-
IP settings or whatever..
user_query wouldn't anyway work because the certificate needs to be
known before username is sent.
OK, I understand now but I anticipate Dovecot 2.0 is sometime in the future (nothing in CVS)? Also for the wishlist would be a per-domain default realm so that users migrating from other systems where they don't have to include a domain-name could do so transparantly.
-- Jim Flowersjflowers@ezo.net
---------- Original Message ----------- From: Timo Sirainen tss@iki.fi To: "Jim Flowers" jflowers@ezo.net Cc: dovecot@dovecot.org Sent: Wed, 31 May 2006 19:19:25 +0300 Subject: Re: [Dovecot] imaps multiple domains proposal
On May 31, 2006, at 7:20 PM, Jim Flowers wrote:
There was a thread earlier this year that noted a difficulty in
modifying dovecot to handle multiple domain certificates. This is a proposal
that may require only minor modifications.I guess there could be some ways to kludge around this so that it
wouldn't require any major changes. But there's one problem why I
don't really want to touch this right now: imap-login process is
chrooted, so the SSL certificates etc. have to be opened before
chrooting. The connection is accepted after chrooting, so they can't be opened at that time anymore.So the solutions are to either read all the certificates from a
directory at startup time (which I think is a bad idea) or get the
certificates from another non-chrooted process. The latter one is
what I'm planning to do with Dovecot 2.0.You could of course also just not run login process chrooted, but I
won't accept code into Dovecot that only works that way. :)Alternatively, as virtual servers almost always use some form of
lookup (in my case mysql) the certificate used could be determined at time of
connection, similar to the way ssl_ca is handled. For example:user_query = SELECT '125'as uid, '125' as gid, maildir as home, '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/ dovecot.pem as priv FROM mailbox WHERE username = '%u'
In Dovecot 2.0 there's a config process which can read its
configuration from pretty much anywhere. The login process requests
the configuration after accepting connections, so you could make per- IP settings or whatever..user_query wouldn't anyway work because the certificate needs to be
known before username is sent. ------- End of Original Message -------
FWIW, stunnel can be configured to run multiple instances (one per ip/domain) each with its own certificates and services (pop3s, imaps, https, etc.) connected to the appropriate ip:port (pop3, imap, http, etc.). Very flexible and user friendly as certificates are specific to the domain and users can logon with just username (not username@domain.tld).
It also operates chroot but the certs are read at startup.
On 6/1/06, Jim Flowers jflowers@ezo.net wrote:
FWIW, stunnel can be configured to run multiple instances (one per ip/domain) each with its own certificates and services (pop3s, imaps, https, etc.) connected to the appropriate ip:port (pop3, imap, http, etc.). Very flexible and user friendly as certificates are specific to the domain and users can logon with just username (not username@domain.tld).
It also operates chroot but the certs are read at startup.
Sorry do barge in, but wouldn't several domains, each with it's own cert, need different ip addresses?
On Sunday 04 June 2006 15:30, Joao Inacio took the opportunity to write:
On 6/1/06, Jim Flowers jflowers@ezo.net wrote:
FWIW, stunnel can be configured to run multiple instances (one per ip/domain) each with its own certificates and services (pop3s, imaps, https, etc.) connected to the appropriate ip:port (pop3, imap, http, etc.). Very flexible and user friendly as certificates are specific to the domain and users can logon with just username (not username@domain.tld).
It also operates chroot but the certs are read at startup.
Sorry do barge in, but wouldn't several domains, each with it's own cert, need different ip addresses?
In practice, yes. Or different ports. RFC 3546 and RFC 4366 define the "server_name" extension to TLS 1.0 and 1.1, respectively, It can be used to tell the server which certificate to use, but I don't think it's widely implemented.
-- Magnus Holmgren holmgren@lysator.liu.se (No Cc of list mail needed, thanks)
participants (4)
-
Jim Flowers
-
Joao Inacio
-
Magnus Holmgren
-
Timo Sirainen