Cyrus IMAP server and multiple SSL certificates

From lxadm | Linux administration tips, tutorials, HOWTOs and articles
Jump to: navigation, search

If you ever wanted to use your Cyrus IMAP server with multiple SSL certificates for different domains, here is how.

List of requirements[edit]

  • separate IP for each SSL certificate
  • different domains you will use for your mail (say, example.com and example2.com)
  • separate SSL certificates for each domain


The change will involve:

  • modifying /etc/cyrus.conf
  • using an additional imapd.conf file


Modifying /etc/cyrus.conf[edit]

Where you previously had cyrmaster listening on all interfaces (as defined in SERVICES { … } section), and thus, using one SSL certificate:

imap            cmd="imapd -U 30" listen="imap" prefork=0 maxchild=100
imaps           cmd="imapd -s -U 30" listen="imaps" prefork=0 maxchild=100
pop3            cmd="pop3d -U 30" listen="pop3" prefork=0 maxchild=50
pop3s           cmd="pop3d -s -U 30" listen="pop3s" prefork=0 maxchild=50

You should now modify it to use different IP addresses and different imapd.conf files, where necessary – for example:

# your regular SSL certificate will be set up on localhost, external IPv4 and external IPv6 addresses:
imap            cmd="imapd -U 30" listen="localhost:imap" prefork=0 maxchild=100
imaps           cmd="imapd -s -U 30" listen="localhost:imaps" prefork=0 maxchild=100
pop3            cmd="pop3d -U 30" listen="localhost:pop3" prefork=0 maxchild=50
pop3s           cmd="pop3d -s -U 30" listen="localhost:pop3s" prefork=0 maxchild=50

imap            cmd="imapd -U 30" listen="178.63.195.102:imap" prefork=0 maxchild=100
imaps           cmd="imapd -s -U 30" listen="178.63.195.102:imaps" prefork=0 maxchild=100
pop3            cmd="pop3d -U 30" listen="178.63.195.102:pop3" prefork=0 maxchild=50
pop3s           cmd="pop3d -s -U 30" listen="178.63.195.102:pop3s" prefork=0 maxchild=50

imap            cmd="imapd -U 30" listen="[2a01:4f8:120:14c4::1111]:imap" prefork=0 maxchild=100
imaps           cmd="imapd -s -U 30" listen="[2a01:4f8:120:14c4::1111]:imaps" prefork=0 maxchild=100
pop3            cmd="pop3d -U 30" listen="[2a01:4f8:120:14c4::1111]:pop3" prefork=0 maxchild=50
pop3s           cmd="pop3d -s -U 30" listen="[2a01:4f8:120:14c4::1111]:pop3s" prefork=0 maxchild=50

# additional domain configuration goes here:
imap            cmd="imapd -C /etc/imapd.example.com.conf -U 30" listen="178.63.195.100:imap" prefork=0 maxchild=100
imaps           cmd="imapd -C /etc/imapd.example.com.conf -s -U 30" listen="178.63.195.100:imaps" prefork=0 maxchild=100
pop3            cmd="pop3d -C /etc/imapd.example.com.conf -U 30" listen="178.63.195.100:pop3" prefork=0 maxchild=50
pop3s           cmd="pop3d -C /etc/imapd.example.com.conf -s -U 30" listen="178.63.195.100:pop3s" prefork=0 maxchild=50

using an additional imapd.conf file[edit]

Copy /etc/impad.conf to /etc/imapd.example.com.conf, and modify just the directives concerning the SSL certificate:

tls_key_file: /etc/postfix/keys/mail.example.com.key
tls_cert_file: /etc/postfix/keys/mail.example.com.crt
tls_ca_file: /etc/postfix/keys/mail.example.com.bundle

That’s it! Restart Cyrus, and you should be done.

For information on how to set up Postfix to use multiple certificates, see this article.