SNI via lookup?

Stuart Henderson stu.lists at
Fri Oct 8 10:32:01 EEST 2021

On 2021-10-07, Felipe Gasper <felipe at> wrote:
>> On Oct 7, 2021, at 7:47 PM, Benny Pedersen <me at> wrote:
> SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
> Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.

It also pre-dates some large mail services requiring SNI, mostly as a result
of this client support for SNI is much better now.

One benefit of doing this is that horizontal scaling can be done by moving
entire domains to another server and repointing DNS, that way neither a
protocol-level proxy nor client config changes are needed. It's not suitable
for every mail service but there are credible reasons to use SNI here.

More information about the dovecot mailing list