On 26. Feb 2025, at 18.27, Julius Kriukas via dovecot <dovecot@dovecot.org> wrote:
Hello everyone.
We are testing out Dovecot 2.4.0 and noticed a regression in how the
local_namefilter with multiple space-separated host names works.For example, having the following dovecot.conf:
... ssl_server_cert_file = /etc/dovecot/global.cert ssl_server_key_file = /etc/dovecot/global.key ssl_server_dh_file = /etc/dovecot/dh.pem ... local_name "server.example.com mail.example.com" { ssl_server_cert_file = /etc/dovecot/example.com.cert ssl_server_key_file = /etc/dovecot/example.com.key }
I had completely forgotten that there was such a feature. Looks like it was added by:
commit fb13dfaa903c5efb492e993888aa444138001e8e Author: J. Nick Koston <nick@cpanel.net> Date: Thu Dec 1 01:38:02 2016 -0600
config: Match multiple names in local_name
This can significantly reduce memory usage when using
a UCC certificate with multiple names by only loading
the certificate and key once.I don't think there is much of a benefit anymore with v2.4, since the certificate and keys are accessed via mmap()ed binary config file. So although the cert/key are duplicated there, that happens only once per server, not once per process.
I don't think this syntax was even documented anywhere?
The
doveconftool thinks the example configuration should work, hinting that this is likely to be a bug. Example:# doveconf -f local_name=mail.example.com ssl_server ssl_server { cert_file = /etc/dovecot/example.com.cert dh_file = /etc/dovecot/dh.pem key_file = /etc/dovecot/example.com.key }
This is also somewhat accidental, because I preserved this filtering code.
Any confirmation if this is really a bug, or maybe an intended configuration syntax change (to force repeating the local_name blocks for each hostname) would be really appreciated. Thanks.
Seems like just extra complexity to me with an ugly syntax. Unless someone convinces me otherwise, I think I'll just remove all traces of it.