Thank you for the information Joel, very helpful! We've started doing the exact same thing actually, with good ol' ssl_certificate_by_lua, until we realized this wouldn't work with STARTTLS/STLS.
We'd like that to work though and we can't seem to find a solution if Dovecot can't smoothly handle SNI at scale.
-- Pierre Allétru 06 70 55 08 35 pierre.alletru@gmail.com
Le jeu. 3 nov. 2022, 14:32, Joel A. Chornik joel.chornik@gmail.com a écrit :
What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot, and use lua to dynamically load certificates using sni.
We have a large userbase (100k+) and works without issues, except that it does not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users using autodiscover/autoconfig or as a fallback it is the default config in most user agents.
Hope it helps Joel Chornik
On 3 Nov 2022, at 10:24, Pierre Allétru pierre.alletru@gmail.com
wrote:
Pierre Allétru