[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: My Take on Virtdomains so far
From:       Ken Murchison <ken () oceana ! com>
Date:       2002-08-24 13:19:08
[Download RAW message or body]

Quoting Phil Dibowitz <phil@ipom.com>:

> Ken Murchison wrote:
> 
> > I believe that this is only a problem when the domain is fetched from
> > the IP address (which happens to always be on).  This can be overcome by
> > specifying a 'defaultdomain' which is the same as the domain of the
> > primary hostname of the machine (ie, make a default domain with the only
> > user being the global admin).  I'll try to find a better workaround for
> > this if I can.  But I would suggest that the global admin have a
> > different username from the per-domain admins, ie admins: cyrus
> > admin@domain1 admin@domain2 ...
> 
> 
> Hmm. Hold on...
> 
> OK, so ... I'm confuse. One of your virtual domains is going to be your real
> 
> domain. For example, I'm using 'ipom.net' (which I own) and 'kr.com' (which I
> 
> stupidly made up.. ::sigh:: and is apparently in use, but I've got all my 
> internal DNS setup for make sure I'm hitting my box).
> 
> So, I guess in your example, I do this:
> defaultdomain: ipom.net
> admins: cyrus admin@ipom.net admin@kr.com
> 
> Now, when I connect at 10.1.1.7 (mail.ipom.net), the user 'cyrus' can no 
> longer connect - but there IS a user 'cyrus' with domain 'ipom.net' in the 
> database. So how do you get global admins to work? I'm rather confused.

OK, this is complicated (unless you have a good understanding of the code and 
SASL).

First off, the global admin really is just the admin for the default domain.  
In other words, you can't have a global admin without a default domain, and you 
can't have an admin restricted to only the default domain.  The global aspect 
is a side-effect that I allow.

Second, any users in the default domain must have their entries in the 
authentication database fully qualified with the hostname of the server (ie, 
the entries you'd get _without_ specifying -u to saslpasswd2).

So, what this means is two things:

1.  Once you've created a non-default domain, you can't make it the default one 
very easily.  To do this, you'd have to rename ALL of the mailboxes and change 
all of the users entries in the authentication database.

2.  If you want to have a global admin, you should make a defaultdomain 
equilalent to the domain of the primary hostname of the server, ie the "real" 
domain.

Hopefully this makes it slightly less fuzzy.  I'll try to clear this up in the 
documentation.


> > Did you happen to see the following post?  Option #1, if supported by
> > clients, would work for both single-IP and multiple-IP configs.
> > 
> >
> 
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchter
m=SSL%2FTLS&msg=16940
> 
> 
> I'm not sure I get that, I'd have to do research...
> 
> 
> > Other than that, I can add support for a tls_cert_dir which would have
> > one cert per address each using the domain as the name, ie
> > oceana.com.crt
> 
> 
> I think this is an optimal (and probably very easy to code?) solution. I know
> 
> that Courier IMAPd does it by IP address (i.e. 10.1.1.7.cert). One the one 
> hand that would aleviate an extra dns lookup, on the other it's a huge pain
> if
> 
> you ever re-IP your network.

I have to do the reverse lookup anyways, so this is no more work.  I think 
people are far less likely to change the domain name than the IP address.

My question is, do people also use a separate key file per-domain?

 
> > The addition of per-service config files, was my first "poor-man's"
> > virtdomains implementation.  You were the first one to take the ball and
> > run with it!  ;)
> 
> 
> Actually this guy Kevin did that. Then he told me about it, and I documented
> 
> it. I think it's the optimal solution for very robust virtual hosting.
> 
> 
> > Additions OTH (I still think your solution is good and viable one):
> > 
> >     - Less administration (one config file, one set of databases)
> >     - Works with Murder
> 
> 
> Murder - never used it. What is it again... allows you to have a cluster of
> 
> cyrus boxes, if I recall correctly?

Yes.  A cluster of servers which use a unified mailbox namespace.  People had 
some pretty creative uses for Murder with virtdomains.


> The question is now... do EITHER of the solutions work with sieve. I think I
> 
> remember you putting off doing the sieve part of your solution... but I think
> 
> my solution may already work with sieve.
> 
> I've never used seive, so I don't know...

My solution works just fine with sieve.


-- 
Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp
[prev in list] [next in list] [prev in thread] [next in thread]