Thanks. I see something similar in documentation: http://cyrusimap.org/docs/cyrus-imapd/2.4.17/install-configure.php Optionally, you can use separate certificates and key files for each service: [servicename]_tls_cert_file: /var/imap/imap-server.pem [servicename]_tls_key_file: /var/imap/imap-server.pem "servicename" here refers to the name of the service as specified in cyrus.conf. It is not necessarily the name of the binary. However, it gives no examples. So assuming I have the following services defined: imap cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 1" listen="1.2.3.4:imaps" prefork=0 maxchild=100 pop3 cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 maxchild=50 pop3s cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" prefork=0 maxchild=50 and using your suggested entries to imap.conf: imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key How would my cyrus.conf services look like? imap cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 maxchild=100 imaps cmd="imapd -s -U 1" listen="1.2.3.4:imaps" prefork=0 maxchild=100 pop3 cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 maxchild=50 pop3s cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" prefork=0 maxchild=50 imap_secondary cmd="imapd -U 1" listen="1.2.3.4:imap" prefork=0 maxchild=100 imaps_secondary cmd="imapd -s -U 1" listen="1.2.3.4:imaps" prefork=0 maxchild=100 pop3_secondary cmd="pop3d -U 1" listen="1.2.3.4:pop3" prefork=0 maxchild=50 pop3s_secondary cmd="pop3d -s -U 1" listen="1.2.3.4:pop3s" prefork=0 maxchild=50 Wouldn't this make cyrus refuse to start two imapd processes on 1.2.3.4:imaps? -- Tomasz Chmielewski http://www.sslrack.com On 2014-07-03 18:51, Scott Lambert wrote: > On Thu, Jul 03, 2014 at 01:08:38PM +0200, Tomasz Chmielewski wrote: >> I mean binding it to one IP, but being able to serve different SSL >> certificates. >> >> I think with Cyrus, one needs Subject Alternative Names (SANs) >> certificate for that. > > No, you can do it with seperate certs. It is done in imap.conf > referencing service names in cyrus.conf. > > # File containing the global certificate used for ALL services (imap, > # pop3, lmtp). > # > #tls_cert_file: <none> > tls_cert_file: /usr/local/etc/ssl.crt/primaryname.crt > > # File containing the private key belonging to the global server > # certificate. > # > #tls_key_file: <none> > tls_key_file: /usr/local/etc/ssl.key/primaryname.key > > # These refer to the "name" of the service in cyrus.conf > imap_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt > imap_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key > imaps_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt > imaps_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key > pop3_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt > pop3_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key > pop3s_secondary_tls_cert_file: /usr/local/etc/ssl.crt/secondaryname.crt > pop3s_secondary_tls_key_file: /usr/local/etc/ssl.key/secondaryname.key > > >> On 2014-07-03 12:50, Niels dettenbach wrote: >> > Am 03.07.2014 12:36, schrieb Tomasz Chmielewski: >> >> However, I don't see a way to set Cyrus to listen on one IP >> > >> > Binding cyrus daemons to specific IPs is possible (and even multiple >> > IPs) within cyrus.conf: >> > >> > i.e. for IMAPs: >> > >> > one IP: >> > >> > imaps cmd="imapd -s" listen="my.host.ip:imaps" prefork=1 >> > maxchild=123 >> > >> > ALL IPs: >> > >> > imaps cmd="imapd -s" listen="imaps" prefork=1 maxchild=123 >> > >> > or just multiple IPs (from brain, so pls doublecheck it): >> > >> > imaps cmd="imapd -s" listen="my.host.ip1:imaps" prefork=1 >> > maxchild=123 >> > imaps cmd="imapd -s" listen="my.host.ip2:imaps" prefork=1 >> > maxchild=123 >> > >> > >> > or do you mean anything other? >> > >> > >> > hth a little, >> > >> > cheerioh, >> > >> > >> > Niels. >> > >> > >> > >> > --- >> > Niels Dettenbach >> > Syndicat IT&Internet >> > http://www.syndicat.com >> ---- >> Cyrus Home Page: http://www.cyrusimap.org/ >> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ >> To Unsubscribe: >> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
