Joe Rhett wrote:
>
> > I have a suggestion on this subject. What about the possibility of
> > binding a realm to a local address for cyrus (IP based vhost)? Yes,
> > authentication and named vhosts via username and realm is ideal, but
> > given that that information is usually not explicitly send by the
> > client, if the imap server could assign the realm based on some implicit
> > information such as the IP address, then there is an answer that should
> > work while we all wait for more widespread support of SASL realms. If
> > there was a patch to do this, would it be accepted into CVS?
>
> It does mean that you must get an SSL certificate per IP address, if using
> SSL. This would make other approaches seem better.
>
Well, this is a little quirky. The client would have to pass their
authentication information or something to indicate their realm prior to
TLS negotiation. As I understand it, there is no real way to do this in
a named virtual host architecture.
The problem here is that the certificate contains the common name of
the mail host. To give an example of this, take a box who's default ip
realm domain1 and a secondary realm vhost is domain2. When a client
connects and does STARTTLS, the server does not know which realm they
are trying to use yet (since no authentication information has been
passed yet). So it passes the default certificate containing the common
name host.domain1. When the client recieves this certificate, it should
reject the certificate, or at least inform the user that the certificate
is for host.domain1, not host.domain2. If you have an alternative answer
to using IP vhosts for doing SSL, I would love to hear any thoughts on
how.
--
Todd Nemanich [EMAIL PROTECTED]
"Protecting the opulent and staging moral standard,
They expect redemption of character and self growth"
Bad Religion - Inner Logic
