On 11.11.2016 12:22, Arkadiusz Miśkiewicz wrote:
Hello,
We’re rolling out large SNI deployments for our mail servers. Each domain gets an entry like this in the config:
local_name mail.foo.com { ssl_cert = *.foo.com/combined ssl_key = .foo.com/combined } Lack of glob/regexp support here is also a problem (for me). I could have 50% smaller config if local_name supported regexp matching, so it would be
On Friday 11 of November 2016, Felipe Gasper wrote: possible to do:
local_name ^(pop3|imap)\.foo\.com { ... }
or even with glob like *.foo.com matching.
There are a couple problems we’re finding with this approach:
- Dovecot wants to load everything at once, which has some machines taking up many GiB of memory just for Dovecot. Is there any way to defer loading of an SSL cert until a client actually requests it? No - thread here http://www.dovecot.org/list/dovecot/2016-October/105855.html
Memory is one thing.
The other is that dovecot stops accepting clients when huge config reload happens (I guess it's a design problem since it makes no sense to do that in any case. Clients should be processed without gap using old config until new config is loaded and ready to go).
And third problem is that there is hardcoded 10s limit for reloading which in case thousands of certificates is way too short limit. Anyway if you hit that limit it's already lost case due to earlier problem.
- Any time we add or remove a domain, Dovecot’s SNI config matrix needs to be rebuilt. Is there a way to handle SNI requests dynamically via some sort of configuration plugin, so we wouldn’t need to rebuild the config on domain add/remove? I looked through the docs but couldn’t see a way to do this. That's unavoidable for now :-(
Here we started analyzing maillog and put into dovecot config only these ssl certs for domains that are actually used with TLS. It's very ugly and short- sighted approach but hopefuly proper solution will be implemented by dovecot team before all people start to use TLS.
Thank you in advance!
-Felipe Gasper Mississauga, ON
If you are interested in testing, please find patch attached that allows you to specify
local_name *.foo.bar { }
or
local_name *.*.foo.bar { }
so basically you can now use certificate name matching rules for local_name. It made most sense.
This should apply cleanly to 2.2.26.0.
Aki Tuomi Dovecot oy