[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: My Take on Virtdomains so far
From:       Igor Brezac <igor () ipass ! net>
Date:       2002-08-24 16:23:09
[Download RAW message or body]


On Sat, 24 Aug 2002, Ken Murchison wrote:

> Quoting Phil Dibowitz <phil@ipom.com>:
>
> > Ken Murchison wrote:
> >
> > > I believe that this is only a problem when the domain is fetched from
> > > the IP address (which happens to always be on).  This can be overcome by
> > > specifying a 'defaultdomain' which is the same as the domain of the
> > > primary hostname of the machine (ie, make a default domain with the only
> > > user being the global admin).  I'll try to find a better workaround for
> > > this if I can.  But I would suggest that the global admin have a
> > > different username from the per-domain admins, ie admins: cyrus
> > > admin@domain1 admin@domain2 ...
> >
> >
> > Hmm. Hold on...
> >
> > OK, so ... I'm confuse. One of your virtual domains is going to be your real
> >
> > domain. For example, I'm using 'ipom.net' (which I own) and 'kr.com' (which I
> >
> > stupidly made up.. ::sigh:: and is apparently in use, but I've got all my
> > internal DNS setup for make sure I'm hitting my box).
> >
> > So, I guess in your example, I do this:
> > defaultdomain: ipom.net
> > admins: cyrus admin@ipom.net admin@kr.com
> >
> > Now, when I connect at 10.1.1.7 (mail.ipom.net), the user 'cyrus' can no
> > longer connect - but there IS a user 'cyrus' with domain 'ipom.net' in the
> > database. So how do you get global admins to work? I'm rather confused.
>
> OK, this is complicated (unless you have a good understanding of the code and
> SASL).
>
> First off, the global admin really is just the admin for the default domain.
> In other words, you can't have a global admin without a default domain, and you
> can't have an admin restricted to only the default domain.  The global aspect
> is a side-effect that I allow.
>
> Second, any users in the default domain must have their entries in the
> authentication database fully qualified with the hostname of the server (ie,
> the entries you'd get _without_ specifying -u to saslpasswd2).
>
> So, what this means is two things:
>
> 1.  Once you've created a non-default domain, you can't make it the default one
> very easily.  To do this, you'd have to rename ALL of the mailboxes and change
> all of the users entries in the authentication database.
>
> 2.  If you want to have a global admin, you should make a defaultdomain
> equilalent to the domain of the primary hostname of the server, ie the "real"
> domain.
>
> Hopefully this makes it slightly less fuzzy.  I'll try to clear this up in the
> documentation.
>
>
> > > Did you happen to see the following post?  Option #1, if supported by
> > > clients, would work for both single-IP and multiple-IP configs.
> > >
> > >
> >
> http://asg.web.cmu.edu/archive/message.php?mailbox=archive.info-cyrus&searchter
> m=SSL%2FTLS&msg=16940
> >
> >
> > I'm not sure I get that, I'd have to do research...
> >
> >
> > > Other than that, I can add support for a tls_cert_dir which would have
> > > one cert per address each using the domain as the name, ie
> > > oceana.com.crt
> >
> >
> > I think this is an optimal (and probably very easy to code?) solution. I know
> >
> > that Courier IMAPd does it by IP address (i.e. 10.1.1.7.cert). One the one
> > hand that would aleviate an extra dns lookup, on the other it's a huge pain
> > if
> >
> > you ever re-IP your network.
>
> I have to do the reverse lookup anyways, so this is no more work.  I think
> people are far less likely to change the domain name than the IP address.
>
> My question is, do people also use a separate key file per-domain?
>

I'd use a separate key file per domain.  I think that keeping everthing
in file may create an unneccessary overhead when loading the file before
every connection.  Is it possible to keep all the keys/certs in file?

-- 
Igor


[prev in list] [next in list] [prev in thread] [next in thread]