Re: install certificate how to

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,


Quoting Nikos Gatsis - Qbit <ngatsis@xxxxxxx>:

Hello list
I have a mailserver which serve about 40 virutal domains and many users
per domain using cyrus-imapd-2.4.17-13.el7.x86_64 and
sendmail-8.14.7-5.el7.x86_64.
How can I install a certificate per domain? Is that possible?

Now I use what cyrus manual suggest:

imapd.conf:
...
tls_cert_file: /var/lib/imap/server.pem
tls_key_file: /var/lib/imap/server.pem
3tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
...


The problem with configuring multiple certificates in cyrus ist that at the
moment it would require using one IP for each domain and one imap(s)/pop(s)
service listeing only on this IP and configuring the certs and keys for
each of these service names


In /etc/cyrus.conf Services you would have

doaminaimap cmd="imapd" listen="ipa:imap"
domainaimaps cmd="imapd -s " listen="ipa:imaps"
domainbimap cmd="imapd" listen="ipb:imap"
domainbimaps cmd="imapd -s " listen="ipb:imaps"
...
domainzimap cmd="imapd" listen="ipz:imap"
domainzimaps cmd="imapd -s " listen="ipz:imaps"

and in /etc/imapd.conf

domainaimap_tls_cert_file: /var/lib/imap/domaina.pem
domainaimap_tls_key_file: /var/lib/imap/domaina.pem
domainaimaps_tls_cert_file: /var/lib/imap/domaina.pem
domainaimaps_tls_key_file: /var/lib/imap/domaina.pem
domainbimap_tls_cert_file: /var/lib/imap/domainb.pem
domainbimap_tls_key_file: /var/lib/imap/domainb.pem
domainbimaps_tls_cert_file: /var/lib/imap/domainb.pem
domainbimaps_tls_key_file: /var/lib/imap/domainb.pem
...
domainzimap_tls_cert_file: /var/lib/imap/domainz.pem
domainzimap_tls_key_file: /var/lib/imap/domainz.pem
domainzimaps_tls_cert_file: /var/lib/imap/domainz.pem
domainzimaps_tls_key_file: /var/lib/imap/domainz.pem

There is the SSL Extension SNI https://de.wikipedia.org/wiki/Server_Name_Indication which would allow to using multiple certificates on one IP, but as far as i know
that is only implemented by webservers and browsers, but i could be wrong and
that the mail clients will use it because the ssl libraries use this extensions
by default.

A few years ago i have seen thread about SNI on this list
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-July/thread.html#37461

Depending on how static your list of domains is you could also use one certificate
with 40 SubjectAlternativNames

Thank you in advance,
Nikos

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus



--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung mail: michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübinge

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux