SNI via lookup?

Felipe Gasper felipe at
Fri Oct 8 02:55:25 EEST 2021

> On Oct 7, 2021, at 7:47 PM, Benny Pedersen <me at> wrote:
> On 2021-10-08 00:37, Felipe Gasper wrote:
>>>> Dovecot call out to some external service to fetch a given domain’s
>>>> certificate.
>>> sni is something no one needs, your server name is not changing if you got a new custommer
>> Rest assured, it’s of great use to us.
> complexity cost nothing maybe

Enh, we already have the complexity because of web hosting. It’s not much more to teach Dovecot to use the certs that httpd uses.

> sni is not dynamicly secure

SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.

Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.


More information about the dovecot mailing list