SNI via lookup?

Stuart Henderson stu.lists at spacehopper.org
Fri Oct 8 10:32:01 EEST 2021


On 2021-10-07, Felipe Gasper <felipe at felipegasper.com> wrote:
>> On Oct 7, 2021, at 7:47 PM, Benny Pedersen <me at junc.eu> wrote:
>> 
>> https://dovecot.org/pipermail/dovecot/2013-December/094214.html
>
> SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
>
> Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.

It also pre-dates some large mail services requiring SNI, mostly as a result
of this client support for SNI is much better now.

One benefit of doing this is that horizontal scaling can be done by moving
entire domains to another server and repointing DNS, that way neither a
protocol-level proxy nor client config changes are needed. It's not suitable
for every mail service but there are credible reasons to use SNI here.




More information about the dovecot mailing list