[Dovecot] One dovecot, multiple domains
Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great.
My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account?
Am I missing something obvious, or asking the impoosible?
Ben wrote:
Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great.
My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account?
Am I missing something obvious, or asking the impoosible?
My (admittedly very limited) understanding of how SSL certs works is, one cert is bound to one URL/IP address combination - which means you cannot use public certs for hosts that are served on the same IP address. So, you'd have to be serving the IMAP connections for each domain on separate IP addresses - OR - use a blanket self-signed wildcard cert (basically, *.* as the FQDN), although I don't know how good of an idea that is.
--
Best regards,
Charles
My (also limited, but growing) understanding of a server cert is that you can bind it either to an IP address or to a FQDN. I could just bind it to the IP address, and as long as I only used a single IP address for my imap server (likely) then I'd be okay....... EXCEPT that I'm cheap, and plan to self-sign the CA for all my domains.
That's not so much a problem for my users, so long as they see that the cert for mail.foo.com was signed by the foo.com CA. But because I'll have one CA for each domain, I'll again need multiple certs. Which implies that dovecot needs some way to choose which one to use, for each login.
On Wed, 15 Feb 2006, Charles Marcus wrote:
Ben wrote:
Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great.
My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account?
Am I missing something obvious, or asking the impoosible?
My (admittedly very limited) understanding of how SSL certs works is, one cert is bound to one URL/IP address combination - which means you cannot use public certs for hosts that are served on the same IP address. So, you'd have to be serving the IMAP connections for each domain on separate IP addresses - OR - use a blanket self-signed wildcard cert (basically, *.* as the FQDN), although I don't know how good of an idea that is.
--
Best regards,
Charles
Ben wrote:
My (also limited, but growing) understanding of a server cert is that you can bind it either to an IP address or to a FQDN.
Not unless the IP address is the "name" you use as the server address. By this I mean, if you have mail.example1.com and mail.example2.com both bound to the same IP address 1.2.3.4, then you can only have an SSL certificate for one of those two names or all users must refer to the server by its IP address exclusively (and the IP address will have to be the Common Name in the cert).
If you have more than one domain, and they are not related (in the sense that they are all known to users of each other), *and* hence you must use multiple SSL certificates, you must have multiple IP addresses bound to the server. This has nothing to do with what CA is used to sign the certs.
HTH
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On 2/15/2006 John Peacock (jpeacock@rowman.com) wrote:
If you have more than one domain, and they are not related (in the sense that they are all known to users of each other), *and* hence you must use multiple SSL certificates, you must have multiple IP addresses bound to the server. This has nothing to do with what CA is used to sign the certs.
But as I said, the other option is a self-signed, blanket wildcard cert (*.*). Since he said he is using self-signed certs, that is still a possibility.
I'm still trying to decide how bad of an idea this is myself.
--
Best regards,
Charles
On 2/15/2006 John Peacock (jpeacock@rowman.com) wrote:
Not unless the IP address is the "name" you use as the server address.
True, and this is why I sed the phrase URL/IP Address. It is the *combination* that is what gets you... although you are correct, I think, that you could just use the IP address as the CN in the cert, and tell the users the mail server is the IP address.
Ugly, but should work...
--
Best regards,
Charles
Ben wrote:
My (also limited, but growing) understanding of a server cert is that you can bind it either to an IP address or to a FQDN. I could just bind it to the IP address, and as long as I only used a single IP address for my imap server (likely) then I'd be okay....... EXCEPT that I'm cheap, and plan to self-sign the CA for all my domains.
What does that have to do with it? You can still self-sign the cert using just the IP as the CN.
That's not so much a problem for my users, so long as they see that the cert for mail.foo.com was signed by the foo.com CA.
But thats just it - if you bind the cert to the IP, they won't see 'mail.foo.com', they'll see the IP address - and they will have to use the IP address for their 'Incoming Mail Server' setting in their MUA as well.
But because I'll have one CA for each domain, I'll again need multiple certs. Which implies that dovecot needs some way to choose which one to use, for each login.
If you want your users to actually see the cert for mail.foo.com is from foo.com CA, then I think your only option is to bind multiple IP addresses to the NIC, and use a different IP for each customer. You could still self-sign them, but at least they'd see the desired CN and CA.
--
Best regards,
Charles
Am Mittwoch, 15. Februar 2006 19:54 schrieb Ben:
Am I missing something obvious, or asking the impoosible?
It would not make much sense probably even is impossible:
I don't know if IMAP supports something like SMTP's STARTTLS where you can "convert" a plain channel to an SSL protected one. (At least that's how I understood it.)
Using IMAPS the SSL channel is already established before authenticating, so how should dovecot be able to select the right certificate?
If there is something like STARTTLS you would have to switch to SSL after sending the login name but before sending the passwort, which probably is not supported and which would reveal the login name to any attacker anyhow...
That's basically the same reasons why there can't be different https sites on the same host. (IP/port combination to be precise.)
Greetings,
Gunter
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 43) Java: Internetcafe (Peter Berlich) -- http://www.iks-jena.de/mitarb/lutz/usenet/Fachbegriffe.der.Informatik.htm l#43 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+PGP-verschlüsselte Mails bevorzugt! +
Well, that makes sense. Unfortunately it's not the answer I was looking for, even if it is an accurate one.
On Wed, 15 Feb 2006, Gunter Ohrner wrote:
Am Mittwoch, 15. Februar 2006 19:54 schrieb Ben:
Am I missing something obvious, or asking the impoosible?
It would not make much sense probably even is impossible:
I don't know if IMAP supports something like SMTP's STARTTLS where you can "convert" a plain channel to an SSL protected one. (At least that's how I understood it.)
Using IMAPS the SSL channel is already established before authenticating, so how should dovecot be able to select the right certificate?
If there is something like STARTTLS you would have to switch to SSL after sending the login name but before sending the passwort, which probably is not supported and which would reveal the login name to any attacker anyhow...
That's basically the same reasons why there can't be different https sites on the same host. (IP/port combination to be precise.)
Greetings,
Gunter
-- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 43) Java: Internetcafe (Peter Berlich) -- http://www.iks-jena.de/mitarb/lutz/usenet/Fachbegriffe.der.Informatik.htm l#43 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PGP-verschl�sselte Mails bevorzugt! +
On Wed, 15 Feb 2006, Ben wrote:
Well, that makes sense. Unfortunately it's not the answer I was looking for, even if it is an accurate one.
IMAP has no virtual hosting feature like HTTP1.1 has; you could, however, bind more IP addresses to one interface (to get virtual interfaces) and spawn another demon with another cert there.
Bye,
-- Steffen Kaiser
On 15.2.2006 20:54, "Ben" bench@silentmedia.com wrote:
Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great.
My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account?
Am I missing something obvious, or asking the impoosible?
Like others have said, it's not possible because Dovecot doesn't know what domain you're going to log in before SSL/TLS connection is started.
In theory it would be possible to set separate certificate for each IP (or port) Dovecot listens in, but currently that can't be changed either.
Ben wrote:
Hey guys, I've got dovecot configured to work perfectly for virtual users across different domains. It's great.
My problem is that, as far as I can tell, dovecot makes me use one SSL certificate across all my domains. That's not what I want. Is there a way I can get dovecot to use the cert for mail.foo.com when somebody is logging into a foo.com account, and the cert for mail.bar.com when somebody is logging into a bar.com account?
Am I missing something obvious, or asking the impoosible?
Ben did you fix this one?
I've traced the problem through my mail logs:
Mar 22 18:16:43 tg1 dovecot: auth(default): client in: AUTH 1 PLAIN service=IMAP lip=xxx.xxx.35.122 rip=xxx.xxx.32.85 resp=AGRhbkBhbHVtaW5hdGkubmV0AHBhc3Mx Mar 22 18:16:43 tg1 dovecot: auth-worker(default): sql(dan@domain.net,xxx.xxx.32.85): query: SELECT username as user, password, mailenv as userdb_mail, uid as userdb_uid, gid as userdb_gid FROM users WHERE username = 'dan' AND domain = 'domain.net' Mar 22 18:16:43 tg1 dovecot: auth-worker(default): auth(dan@domain.net,xxx.xxx.32.85): username changed dan@domain.net -> dan Mar 22 18:16:43 tg1 dovecot: auth(default): auth(dan@domain.net,xxx.xxx.32.85): username changed dan@domain.net -> dan Mar 22 18:16:43 tg1 dovecot: auth(default): client out: OK 1 user=dan Mar 22 18:16:43 tg1 dovecot: auth(default): master in: REQUEST 1 24736 1
The line to look for says:
username changed dan@domain.net -> dan
After this point %d is empty which is a problem if you use it in any configuration settings (which I'm trying to do).
The login now works because I use the prefetch to fetch the mail and home directory informatin out of the database (rather than dynamically work it out) but there are some other settings (ie namespaces) where I wan to use %d.
Can anyone suggest how to maintain the information in %d? Particularly why does it shorten the username to "dan"?
Daniel
participants (7)
-
Ben
-
Charles Marcus
-
Daniel Watts
-
Gunter Ohrner
-
John Peacock
-
Steffen Kaiser
-
Timo Sirainen