On Sat, 3 Jan 2004, Christos Soulios wrote: > > You can do that in a model that still allows users to add an @ sign and a > > domain to their userid. > > I cannot figure out how this can be achieved. And to make it clear, I will give > an example. > > I have two domains domain1.com and domain2.com which are hosted by the hosts > imap.domain1.com and imap.domain2.com respectively. These two servers must have > two different certificates with cn=imap.domain1.com and cn=imap.domain2.com > > When the user connects to the imap.domain1.com and long before the user > authentication takes place, the cyrus must be able to present the > correct certificate. Because most mail clients will not accept to > connect to the imap host imap.domain1.com and be presented a certificate > with cn=imap.otherdomain.com
Sure. But if they are looking for a certificate for imap.otherdomain.com, why are they connecting to imap.domain1.com? This has nothing to do with what userid is presented. > But how can cyrus be able to know which is the correct certificate to > present? Of course, not by retrieving the domain by the userid suffix. > Then it is too late. The authentication has already taken place. In my > opinion this must have taken place by the time the user connects. And > then the only way for cyrus to determine the correct virtual domain is > _only_ using the ip address of the server interface. I don't understand why this requires denying users access via the [EMAIL PROTECTED] login names. Yes, they get the wrong certificate. But then, why are they connecting to the wrong interface in the first place? -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper
