Re: install certificate how to

Michael Menge <michael.menge@xxxxxxxxxxxxxxxxxxxx> · Thu, 30 Nov 2017 14:20:36 +0100

Hi,

Quoting Nikos Gatsis - Qbit <ngatsis@xxxxxxx>:

Hello list
I have a mailserver which serve about 40 virutal domains and many users
per domain using cyrus-imapd-2.4.17-13.el7.x86_64 and
sendmail-8.14.7-5.el7.x86_64.
How can I install a certificate per domain? Is that possible?

Now I use what cyrus manual suggest:

imapd.conf:
...
tls_cert_file: /var/lib/imap/server.pem
tls_key_file: /var/lib/imap/server.pem
3tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
...

The problem with configuring multiple certificates in cyrus ist that at the
moment it would require using one IP for each domain and one imap(s)/pop(s)
service listeing only on this IP and configuring the certs and keys for
each of these service names

In /etc/cyrus.conf Services you would have

doaminaimap cmd="imapd" listen="ipa:imap"
domainaimaps cmd="imapd -s " listen="ipa:imaps"
domainbimap cmd="imapd" listen="ipb:imap"
domainbimaps cmd="imapd -s " listen="ipb:imaps"
...
domainzimap cmd="imapd" listen="ipz:imap"
domainzimaps cmd="imapd -s " listen="ipz:imaps"

and in /etc/imapd.conf

domainaimap_tls_cert_file: /var/lib/imap/domaina.pem
domainaimap_tls_key_file: /var/lib/imap/domaina.pem
domainaimaps_tls_cert_file: /var/lib/imap/domaina.pem
domainaimaps_tls_key_file: /var/lib/imap/domaina.pem
domainbimap_tls_cert_file: /var/lib/imap/domainb.pem
domainbimap_tls_key_file: /var/lib/imap/domainb.pem
domainbimaps_tls_cert_file: /var/lib/imap/domainb.pem
domainbimaps_tls_key_file: /var/lib/imap/domainb.pem
...
domainzimap_tls_cert_file: /var/lib/imap/domainz.pem
domainzimap_tls_key_file: /var/lib/imap/domainz.pem
domainzimaps_tls_cert_file: /var/lib/imap/domainz.pem
domainzimaps_tls_key_file: /var/lib/imap/domainz.pem

There is the SSL Extension SNI  
https://de.wikipedia.org/wiki/Server_Name_Indication
which would allow to using multiple certificates on one IP, but as far  
as i know
that is only implemented by webservers and browsers, but i could be wrong and
that the mail clients will use it because the ssl libraries use this  
extensions
by default.

A few years ago i have seen thread about SNI on this list
https://lists.andrew.cmu.edu/pipermail/info-cyrus/2014-July/thread.html#37461

Depending on how static your list of domains is you could also use one  
certificate
with 40 SubjectAlternativNames

Thank you in advance,
Nikos

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus

--------------------------------------------------------------------------------
M.Menge                                Tel.: (49) 7071/29-70316
Universität Tübingen                   Fax.: (49) 7071/29-5912
Zentrum für Datenverarbeitung          mail:  
michael.menge@xxxxxxxxxxxxxxxxxxxx
Wächterstraße 76
72074 Tübinge

----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus