TLS communication director -> backend with X.509 cert checks?

Timo Sirainen tss at iki.fi
Mon Oct 19 11:06:06 UTC 2015


> On 15 Oct 2015, at 00:28, Heiko Schlittermann <hs at schlittermann.de> wrote:
> 
> Hi Timo
> 
> Heiko Schlittermann <hs at schlittermann.de> (Mi 14 Okt 2015 01:10:20 CEST):
>>> Ah, the information comes from the other director running. The other one
>> is using an unpatched version of dovecot.
> 
> Your patch for backend-certificate verification works. Thank you for the
> good and fast work. Is there any chance that this will make it into
> Dovecot's next release?

Implemented also support for sending the hostname within director ring:

http://hg.dovecot.org/dovecot-2.2/rev/8e9cada0c8fc
http://hg.dovecot.org/dovecot-2.2/rev/7f718c840aff
http://hg.dovecot.org/dovecot-2.2/rev/5876ca2d63fb

Although it's not possible right now to add hostname using "doveadm director add", so that probably needs to be implemented at some point.

> BTW: The ambiguity of 2001:db8::9090 remains. Shouldn't you allow
> [2001:db8::]¹ resp [2001:db8::9090]¹ resp. [2001:db8::]:9090² for such
> cases? (In case one want's to use IPv6 addresses instead of hostnames in
> the director_servers option. (And probably in other places too.))

http://hg.dovecot.org/dovecot-2.2/rev/c5c34c02fda3



More information about the dovecot mailing list