On Oct 7, 2021, at 7:47 PM, Benny Pedersen me@junc.eu wrote:
On 2021-10-08 00:37, Felipe Gasper wrote:
Dovecot call out to some external service to fetch a given domain’s certificate. sni is something no one needs, your server name is not changing if you got a new custommer Rest assured, it’s of great use to us.
complexity cost nothing maybe
Enh, we already have the complexity because of web hosting. It’s not much more to teach Dovecot to use the certs that httpd uses.
sni is not dynamicly secure
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.
-FG