It's not possible at that level, which is what I was saying.
The best way is to have the client log into a single hostname with a single
IP (and single matching certificate) but provide domain information during
the login.
The second, non-scaleable approach is a different configuration per IP
address which is now supported, but doesn't scale due the cost of IPs, the
cost of certificates, etc etc.
On Fri, May 04, 2001 at 02:03:30PM -0400, Todd Nemanich wrote:
> Joe Rhett wrote:
> >
> > > I have a suggestion on this subject. What about the possibility of
> > > binding a realm to a local address for cyrus (IP based vhost)? Yes,
> > > authentication and named vhosts via username and realm is ideal, but
> > > given that that information is usually not explicitly send by the
> > > client, if the imap server could assign the realm based on some implicit
> > > information such as the IP address, then there is an answer that should
> > > work while we all wait for more widespread support of SASL realms. If
> > > there was a patch to do this, would it be accepted into CVS?
> >
> > It does mean that you must get an SSL certificate per IP address, if using
> > SSL. This would make other approaches seem better.
> >
>
> Well, this is a little quirky. The client would have to pass their
> authentication information or something to indicate their realm prior to
> TLS negotiation. As I understand it, there is no real way to do this in
> a named virtual host architecture.
> The problem here is that the certificate contains the common name of
> the mail host. To give an example of this, take a box who's default ip
> realm domain1 and a secondary realm vhost is domain2. When a client
> connects and does STARTTLS, the server does not know which realm they
> are trying to use yet (since no authentication information has been
> passed yet). So it passes the default certificate containing the common
> name host.domain1. When the client recieves this certificate, it should
> reject the certificate, or at least inform the user that the certificate
> is for host.domain1, not host.domain2. If you have an alternative answer
> to using IP vhosts for doing SSL, I would love to hear any thoughts on
> how.
> --
> Todd Nemanich [EMAIL PROTECTED]
>
> "Protecting the opulent and staging moral standard,
> They expect redemption of character and self growth"
> Bad Religion - Inner Logic
--
Joe Rhett Chief Technology Officer
[EMAIL PROTECTED] ISite Services, Inc.
PGP keys and contact information: http://www.noc.isite.net/Staff/
