[prev in list] [next in list] [prev in thread] [next in thread]
List: info-cyrus
Subject: Re: My Take on Virtdomains so far
From: Phil Dibowitz <phil () ipom ! com>
Date: 2002-08-24 3:12:35
[Download RAW message or body]
Ken Murchison wrote:
> This a bug that I will fix. There is code to prevent cross-domain
> access, but I forgot (or was lazy) to check for the same domain.
Cool.
> I believe that this is only a problem when the domain is fetched from
> the IP address (which happens to always be on). This can be overcome by
> specifying a 'defaultdomain' which is the same as the domain of the
> primary hostname of the machine (ie, make a default domain with the only
> user being the global admin). I'll try to find a better workaround for
> this if I can. But I would suggest that the global admin have a
> different username from the per-domain admins, ie admins: cyrus
> admin@domain1 admin@domain2 ...
Hmm. Hold on...
OK, so ... I'm confuse. One of your virtual domains is going to be your real
domain. For example, I'm using 'ipom.net' (which I own) and 'kr.com' (which I
stupidly made up.. ::sigh:: and is apparently in use, but I've got all my
internal DNS setup for make sure I'm hitting my box).
So, I guess in your example, I do this:
defaultdomain: ipom.net
admins: cyrus admin@ipom.net admin@kr.com
Now, when I connect at 10.1.1.7 (mail.ipom.net), the user 'cyrus' can no
longer connect - but there IS a user 'cyrus' with domain 'ipom.net' in the
database. So how do you get global admins to work? I'm rather confused.
> Did you happen to see the following post? Option #1, if supported by
> clients, would work for both single-IP and multiple-IP configs.
>
> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchterm=SSL%2FTLS&msg=16940
I'm not sure I get that, I'd have to do research...
> Other than that, I can add support for a tls_cert_dir which would have
> one cert per address each using the domain as the name, ie
> oceana.com.crt
I think this is an optimal (and probably very easy to code?) solution. I know
that Courier IMAPd does it by IP address (i.e. 10.1.1.7.cert). One the one
hand that would aleviate an extra dns lookup, on the other it's a huge pain if
you ever re-IP your network.
> The addition of per-service config files, was my first "poor-man's"
> virtdomains implementation. You were the first one to take the ball and
> run with it! ;)
Actually this guy Kevin did that. Then he told me about it, and I documented
it. I think it's the optimal solution for very robust virtual hosting.
> Additions OTH (I still think your solution is good and viable one):
>
> - Less administration (one config file, one set of databases)
> - Works with Murder
Murder - never used it. What is it again... allows you to have a cluster of
cyrus boxes, if I recall correctly?
The question is now... do EITHER of the solutions work with sieve. I think I
remember you putting off doing the sieve part of your solution... but I think
my solution may already work with sieve.
I've never used seive, so I don't know...
> Thanks again! If this ends up anywhere close to a one-size-fits-all
> solution, its because of the great input that I received from the list.
And thanks to you for putting time into coding something you never plan on using!
--
Phil Dibowitz phil@ipom.com
Freeware and Technical Pages Insanity Palace of Metallica
http://home.earthlink.net/~jaymzh666/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic