[Dovecot] imaps multiple domains proposal

Timo Sirainen tss at iki.fi
Wed May 31 19:19:25 EEST 2006


On May 31, 2006, at 7:20 PM, Jim Flowers wrote:

> There was a thread earlier this year that noted a difficulty in  
> modifying
> dovecot to handle multiple domain certificates.  This is a proposal  
> that may
> require only minor modifications.

I guess there could be some ways to kludge around this so that it  
wouldn't require any major changes. But there's one problem why I  
don't really want to touch this right now: imap-login process is  
chrooted, so the SSL certificates etc. have to be opened before  
chrooting. The connection is accepted after chrooting, so they can't  
be opened at that time anymore.

So the solutions are to either read all the certificates from a  
directory at startup time (which I think is a bad idea) or get the  
certificates from another non-chrooted process. The latter one is  
what I'm planning to do with Dovecot 2.0.

You could of course also just not run login process chrooted, but I  
won't accept code into Dovecot that only works that way. :)

> Alternatively, as virtual servers almost always use some form of  
> lookup (in my
> case mysql) the certificate used could be determined at time of  
> connection,
> similar to the way ssl_ca is handled.  For example:
>
> user_query = SELECT '125'as uid, '125' as gid, maildir as home,
>      '/etc/ssl/%d/certs/dovecot.pem' as cert, '/etc/ssl/%d/private/ 
> dovecot.pem
>       as priv FROM mailbox WHERE username = '%u'

In Dovecot 2.0 there's a config process which can read its  
configuration from pretty much anywhere. The login process requests  
the configuration after accepting connections, so you could make per- 
IP settings or whatever..

user_query wouldn't anyway work because the certificate needs to be  
known before username is sent.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://dovecot.org/pipermail/dovecot/attachments/20060531/205599d4/PGP.pgp


More information about the dovecot mailing list