lazy-load SNI?

Arkadiusz Miśkiewicz arekm at maven.pl
Fri Nov 11 10:22:50 UTC 2016


On Friday 11 of November 2016, Felipe Gasper wrote:
> Hello,
> 
> 	We’re rolling out large SNI deployments for our mail servers. Each domain
> gets an entry like this in the config:
> 
> local_name mail.foo.com {
>     ssl_cert = </ssl/domain_tls/*.foo.com/combined
>     ssl_key = </ssl/domain_tls/*.foo.com/combined
> }

Lack of glob/regexp support here is also a problem (for me). I could have 50% 
smaller config if local_name supported regexp matching, so it would be 
possible to do:

local_name ^(pop3|imap)\.foo\.com {
...
}

or even with glob like *.foo.com matching.

> 
> 	There are a couple problems we’re finding with this approach:
> 
> 1) Dovecot wants to load everything at once, which has some machines taking
> up many GiB of memory just for Dovecot. Is there any way to defer loading
> of an SSL cert until a client actually requests it?

No - thread here http://www.dovecot.org/list/dovecot/2016-October/105855.html

Memory is one thing.

The other is that dovecot stops accepting clients when huge config reload 
happens (I guess it's a design problem since it makes no sense to do that in 
any case. Clients should be processed without gap using old config until new 
config is loaded and ready to go).

And third problem is that there is hardcoded 10s limit for reloading which in 
case thousands of certificates is way too short limit. Anyway if you hit that 
limit it's already lost case due to earlier problem.

> 
> 2) Any time we add or remove a domain, Dovecot’s SNI config matrix needs to
> be rebuilt. Is there a way to handle SNI requests dynamically via some
> sort of configuration plugin, so we wouldn’t need to rebuild the config on
> domain add/remove? I looked through the docs but couldn’t see a way to do
> this.

That's unavoidable for now :-(

Here we started analyzing maillog and put into dovecot config only these ssl 
certs for domains that are actually used with TLS. It's very ugly and short-
sighted approach but hopefuly proper solution will be implemented by dovecot 
team before all people start to use TLS.
 
> 	Thank you in advance!
> 
> -Felipe Gasper
> Mississauga, ON


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )


More information about the dovecot mailing list