[Dovecot] SSL certs per listen IP
I'd like to host multiple domains though a central dovecot proxy - however, I need to present different certs to different hostnames (which are on different IPs).
I can't see a way to this in the documentation, is it possible?
thanks,
Ian
- Ian P. Christian pookey@pookey.co.uk [2008-12-20 23:06]:
I'd like to host multiple domains though a central dovecot proxy - however, I need to present different certs to different hostnames (which are on different IPs).
I can't see a way to this in the documentation, is it possible?
Not with Dovecot itself. You have to use something like stunnel instead and redirect the connections to localhost:110/143 instead, for example.
Regards, Wolfram Schlich wschlich@gentoo.org Gentoo Linux * http://dev.gentoo.org/~wschlich/
2008/12/20 Wolfram Schlich lists@wolfram.schlich.org:
Not with Dovecot itself. You have to use something like stunnel instead and redirect the connections to localhost:110/143 instead, for example.
Ahhh yes, of course.
Thanks a lot, and seasons greetings,
Ian
- Ian P. Christian pookey@pookey.co.uk [2008-12-20 23:22]:
2008/12/20 Wolfram Schlich lists@wolfram.schlich.org:
Not with Dovecot itself. You have to use something like stunnel instead and redirect the connections to localhost:110/143 instead, for example.
Ahhh yes, of course.
The downside is, Dovecot log messages only show connections from localhost, so you can't map users to client IP addresses anymore.
Thanks a lot, and seasons greetings,
You're welcome :) Have a nice Christmas!
Regards, Wolfram Schlich wschlich@gentoo.org Gentoo Linux * http://dev.gentoo.org/~wschlich/
Ian P. Christian wrote:
I'd like to host multiple domains though a central dovecot proxy - however, I need to present different certs to different hostnames (which are on different IPs).
I can't see a way to this in the documentation, is it possible?
You can't do this with a single instance, but you can run parallel instances of dovecot on the same machine. Create a second dovecot_mumble.conf with the alternate config and start the second instance with -c /path/to/dovecot_mumble.conf. Each instance needs its own .conf (they can share sql/ldap config files), base_dir and auth sections.
I run multi-instance setups in production--it makes it possible to take down the imap service without breaking postfix since postfix smtpd will have fatal startup errors unless dovecot is running.
2008/12/20 Darren Pilgrim list_dovecot@bluerosetech.com:
You can't do this with a single instance, but you can run parallel instances of dovecot on the same machine.
Thanks Darren, I did think about this option.
Does anyone else see a value in my putting this in as a feature request? IMO it would be useful to have a whole list of IP/SSL mappings, or perhaps different certs on different ports. I will happily accept I'm in the minority though is no one else sees value in this. I don't really want to run X number of instances of dovecot on my setup, as X might be reasonably high, and I'm running this on a low member virtual machine - if it weren't for having to run multiple processes, memory requirements would be very low.
Regards,
Ian
Ian P. Christian wrote:
2008/12/20 Darren Pilgrim list_dovecot@bluerosetech.com:
You can't do this with a single instance, but you can run parallel instances of dovecot on the same machine.
Thanks Darren, I did think about this option.
Does anyone else see a value in my putting this in as a feature request?
Running a single master would be nice at least for in-the-box configurations. Parallel instances gets you some significant extras, though, and Dovecot does a nice job of behaving when it's its own neighbor. The only main issue I ran into is making startup scripts understand a multi-instance config. The rc script that comes with the FreeBSD port does. :)
Ian P. Christian wrote:
Does anyone else see a value in my putting this in as a feature request? IMO it would be useful to have a whole list of IP/SSL mappings, or perhaps different certs on different ports. I will happily accept I'm in the minority though is no one else sees value in this. I don't really want to run X number of instances of dovecot on my setup, as X might be reasonably high, and I'm running this on a low member virtual machine - if it weren't for having to run multiple processes, memory requirements would be very low.
It would be nice, but it is hardly something essential.
I believe this feature is already planned by Timo for a future version.
-- I'm prepared for all emergencies but totally unprepared for everyday life.
Eduardo M KALINOWSKI eduardo@kalinowski.com.br http://move.to/hpkb
http://wiki.dovecot.org/Roadmap
"v1.2 will be the next release after v1.1. v2.0 will provide a rewritten master process and config handling framework, which makes it a lot easier to implement several other features. Many people also want to use configuration that currently isn't possible, but will be easy to support using v2.0 (e.g. different auth lookups or SSL certs based on local/remote IP or protocol)."
Well, seems it's already thought up ;) For now, I'll run seperate processes, either as seperate Xen domains, or on the same server
Thanks all!
participants (4)
-
Darren Pilgrim
-
Eduardo M KALINOWSKI
-
Ian P. Christian
-
Wolfram Schlich