'Re: My Take on Virtdomains so far'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: My Take on Virtdomains so far
From:       Phil Dibowitz <phil () ipom ! com>
Date:       2002-08-24 3:12:35
[Download RAW message or body]

Ken Murchison wrote:

> This a bug that I will fix.  There is code to prevent cross-domain
> access, but I forgot (or was lazy) to check for the same domain.


Cool.


> I believe that this is only a problem when the domain is fetched from
> the IP address (which happens to always be on).  This can be overcome by
> specifying a 'defaultdomain' which is the same as the domain of the
> primary hostname of the machine (ie, make a default domain with the only
> user being the global admin).  I'll try to find a better workaround for
> this if I can.  But I would suggest that the global admin have a
> different username from the per-domain admins, ie admins: cyrus
> admin@domain1 admin@domain2 ...


Hmm. Hold on...

OK, so ... I'm confuse. One of your virtual domains is going to be your real 
domain. For example, I'm using 'ipom.net' (which I own) and 'kr.com' (which I 
stupidly made up.. ::sigh:: and is apparently in use, but I've got all my 
internal DNS setup for make sure I'm hitting my box).

So, I guess in your example, I do this:
defaultdomain: ipom.net
admins: cyrus admin@ipom.net admin@kr.com

Now, when I connect at 10.1.1.7 (mail.ipom.net), the user 'cyrus' can no 
longer connect - but there IS a user 'cyrus' with domain 'ipom.net' in the 
database. So how do you get global admins to work? I'm rather confused.


> Did you happen to see the following post?  Option #1, if supported by
> clients, would work for both single-IP and multiple-IP configs.
> 
> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchterm=SSL%2FTLS&msg=16940


I'm not sure I get that, I'd have to do research...


> Other than that, I can add support for a tls_cert_dir which would have
> one cert per address each using the domain as the name, ie
> oceana.com.crt


I think this is an optimal (and probably very easy to code?) solution. I know 
that Courier IMAPd does it by IP address (i.e. 10.1.1.7.cert). One the one 
hand that would aleviate an extra dns lookup, on the other it's a huge pain if

you ever re-IP your network.


> The addition of per-service config files, was my first "poor-man's"
> virtdomains implementation.  You were the first one to take the ball and
> run with it!  ;)


Actually this guy Kevin did that. Then he told me about it, and I documented 
it. I think it's the optimal solution for very robust virtual hosting.


> Additions OTH (I still think your solution is good and viable one):
> 
>     - Less administration (one config file, one set of databases)
>     - Works with Murder


Murder - never used it. What is it again... allows you to have a cluster of 
cyrus boxes, if I recall correctly?

The question is now... do EITHER of the solutions work with sieve. I think I 
remember you putting off doing the sieve part of your solution... but I think 
my solution may already work with sieve.

I've never used seive, so I don't know...


> Thanks again!  If this ends up anywhere close to a one-size-fits-all
> solution, its because of the great input that I received from the list.


And thanks to you for putting time into coding something you never plan on using!

-- 
Phil Dibowitz                             phil@ipom.com
Freeware and Technical Pages              Insanity Palace of Metallica
http://home.earthlink.net/~jaymzh666/     http://www.ipom.com/

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
  - Benjamin Franklin, 1759

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic