List Info

Thread: Re: IP based virtual hosts domainkeys and SSL
Re: IP based virtual hosts domainkeys and SSL
country flaguser name
Canada		 2007-05-25 10:34:43 
----- Original Message -----
>I'm wondering if Surgemail supports SSL with IP based
virtual mail hosts
>and domain-keys (DKIM) for IP based virtual hosts.  It
doesn't appear so.

Yes it does.

>Surgemail would need to allow us to specify a key/cert
(PEM) file for
>each IP based virtual host.  Then when a domain sender
sends mail from
>that domain, it would use the appropriate key.
>
>The same thing goes for IP based virtual host SSL
connections.  ie:
>When a user connects to SSL based pop on port 995 or
uses TLS, Surgemail
>would use the appropriate key from the IP base virtual
host.
>
>Possible?  Right now it doesn't seem to fit well for
those of us that
>host multiple domains that want DKIM and SSL support as
the domain
>hosts/IP's won't match the keys/cert pairs.

I just checked my configuration. It certainly seems to. Are
you running a
recent version or still an older one?

=================================
Kevin W. Gagel
Network Administrator
Information Technology Services
(250) 562-2131 local 448
My Blog:
http://mail.cnc.bc.
ca/blogs/gagel

------------------------------------------------------------
-------
The College of New Caledonia, Visit us at http://www.cnc.bc.ca
Virus scanning is done on all incoming and outgoing email.
Anti-spam information for CNC can be found at http://avas.cnc.bc.ca
------------------------------------------------------------
-------
Re: IP based virtual hosts domainkeys and SSL
country flaguser name
United States		 2007-05-25 11:12:54 
Kevin W. Gagel wrote:
> I just checked my configuration. It certainly seems to.
Are you running a
> recent version or still an older one?


I have a recent one yes, and it does appear to support SSL
certs per IP
virtual host and I have that working.  But... with a few
caveats that
need to be addressed.

Maybe not *ALL* IP based virtual hosts want to have SSL.  So
there
should be an option per domain to disable SSL.  This would
mean that no
certificate would be checked/created and that all the TLS
offerings in
protocol headers would be turned off, and if possible, the
option to not
even open socket listeners on ports 993, 995 and 465 for
those IP based
virtual hosts.  (the latter not the biggest problem)  But
the disabling
of SSL per host is needed when you have a ton of ISP IP
based virtual hosts.

Another issue is how exactly these IP based virtual hosts
handle DKIM
message signing.  According to DK, the public key is
published in the
sending domains DNS.  So what happens when you have multiple
servers or
a url_host of "mail.isp123.net".  The key/cert
pairs name will be of
that host, and not of "isp123.net".  While using
url_host for web
interface URL's and SSL to servers might be ok, it might not
really work
for DKIM as the domain-key/name night not always match the
actual mail
server host.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor(inoc.net|gmail.com)
PGP: 0x66F90BFC  http://pgp.mit.edu
Key fingerprint = 6296 F715 038B 44C1 2720  292A 8580 500E
66F9 0BFC

Meets quality standards:  Compiles without errors.
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )