Thank you for the information Joel, very helpful! We've started doing the exact same thing actually, with good ol' ssl_certificate_by_lua, until we realized this wouldn't work with STARTTLS/STLS.

We'd like that to work though and we can't seem to find a solution if Dovecot can't smoothly handle SNI at scale.

--
Pierre Allétru
06 70 55 08 35
pierre.alletru@gmail.com

Le jeu. 3 nov. 2022, 14:32, Joel A. Chornik <joel.chornik@gmail.com> a écrit :
What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot, and use lua to dynamically load certificates using sni.

We have a large userbase (100k+) and works without issues, except that it does not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users using autodiscover/autoconfig or as a fallback it is the default config in most user agents.

Hope it helps
Joel Chornik

>
> On 3 Nov 2022, at 10:24, Pierre Allétru <pierre.alletru@gmail.com> wrote:
>
> Pierre Allétru