On Mon, Jul 02, 2007 at 03:19:55PM +0200, Michael Menge wrote:
> Hi,
>
> you could try do disable the validation of the certificate with
>
> novalidate-cert
Thanks, yes, I could. :) But I'd like to have a functioning certificate
scheme here. I really wouldn't like anyone pretending to be, say,
i07.mappi.helsinki.fi with a certificate for foo.com to go without
notice... But buying a certificate for all my Murder backends doesn't
seem to me a viable option ;) (costs way too much).
Interesting. This particular problem couldn't even be solved by
switching to a traditional murder config (as opposed to most of the
problems I've encountered lately). That is, I /could/ arrange it so in a
traditional Murder that the frontends give the posti.mappi.helsinki.fi
certificate - and when they issue a referral to a backend, well, that
backend could give a certificate that matches its own hostname (in my
current setup, I can't do anything like that). But then, I'd have to buy
twenty-five certificates...
The old patch seemed to be against proxyd code (*sigh*). I made a new
patch (against imapd code) that should work for 2.3.8. It's essentially
the same patch that has been in production at PSU for a long time, so it
should be safe... I've got it attached in case anybody else is
interested.
--Janne
--
Janne Peltonen <janne.peltonen@xxxxxxxxxxx>
diff -Naur cyrus-imapd-2.3.8.orig/imap/imapd.c cyrus-imapd-2.3.8/imap/imapd.c
--- cyrus-imapd-2.3.8.orig/imap/imapd.c 2007-06-30 17:27:48.000000000 +0300
+++ cyrus-imapd-2.3.8/imap/imapd.c 2007-07-02 18:37:02.000000000 +0300
@@ -528,7 +528,7 @@
backend_cached = NULL;
backend_inbox = backend_current = NULL;
proxy_cmdcnt = 0;
- disable_referrals = 0;
+ disable_referrals = config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS);
supports_referrals = 0;
if (imapd_mailbox) {
@@ -2638,6 +2638,10 @@
prot_printf(imapd_out, CAPA_POSTAUTH_STRING);
+ if (config_getswitch(IMAPOPT_PROXYD_DISABLE_MAILBOX_REFERRALS) == 0) {
+ prot_printf(imapd_out, " MAILBOX-REFERRALS");
+ }
+
if (idle_enabled()) {
prot_printf(imapd_out, " IDLE");
}
diff -Naur cyrus-imapd-2.3.8.orig/imap/version.h cyrus-imapd-2.3.8/imap/version.h
--- cyrus-imapd-2.3.8.orig/imap/version.h 2007-02-06 20:07:42.000000000 +0200
+++ cyrus-imapd-2.3.8/imap/version.h 2007-07-02 18:35:42.000000000 +0300
@@ -63,7 +63,7 @@
#define CAPA_PREAUTH_STRING "IMAP4 IMAP4rev1 LITERAL+ ID"
#define CAPA_POSTAUTH_STRING " ACL RIGHTS=kxte QUOTA " \
- "MAILBOX-REFERRALS NAMESPACE UIDPLUS " \
+ "NAMESPACE UIDPLUS " \
"NO_ATOMIC_RENAME UNSELECT " \
"CHILDREN MULTIAPPEND BINARY " \
"SORT SORT=MODSEQ THREAD=ORDEREDSUBJECT THREAD=REFERENCES " \
diff -Naur cyrus-imapd-2.3.8.orig/lib/imapoptions cyrus-imapd-2.3.8/lib/imapoptions
--- cyrus-imapd-2.3.8.orig/lib/imapoptions 2007-06-30 17:27:48.000000000 +0300
+++ cyrus-imapd-2.3.8/lib/imapoptions 2007-07-02 18:38:27.000000000 +0300
@@ -817,6 +817,10 @@
connections that these referrals would cause, thus resulting in a higher
authentication load on the respective backend server. */
+{ "proxyd_disable_mailbox_referrals", 0, SWITCH }
+/* Set to true to disable the use of mailbox-referrals on the
+ proxy servers.*/
+
{ "proxyservers", NULL, STRING }
/* A list of users and groups that are allowed to proxy for other
users, separated by spaces. Any user listed in this will be
----
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
