On 2025-05-23 12:57, Aki Tuomi via dovecot wrote:
It should work if you send cn, that should be supported. Are you sure you are sending SNI in your testing? e.g. with openssl you need to use -servername foobar to actually send SNI.
Aki
Thanks. Yeah I am sure. I am filtering by SNI on haproxy. My mail client is properly using SNI in TLS. Just confirmed it with wireshark:
Extension: server_name (len=17) Type: server_name (0) Length: 17 Server Name Indication extension Server Name list length: 15 Server Name Type: host_name (0) Server Name length: 12 Server Name: secret
Also on server I see PROXY V2 packets. I set haproxy to send authority TLV (which contains SNI value used by client) and it seems dovecot still does not make use of it.
TLV: (t=2,l=12) AUTHORITY Type: AUTHORITY (0x02) Length: 12 Value: secret
So it seems it is not supported by dovecot or it is a bug. What you think? Could you confirm that TLV AUTHORITY is supported by dovecot and this should work for sure? If this is a bug where should I report it?
DK