It gets worse! If you request a client certificate, Dovecot will not check the name on the certificate, only that it is signed by a known CA. I raised this issue on this list some time ago and got no response. I'm not sure anyone is listening.
On 16/05/2023 7:54 pm, Serg via dovecot wrote:
I would like to offer to implement a feature to reject SSL handshakes for a default certificate-key pair for efficiently discarding bot requests (i.e. such requests that provide invalid/not configured hostname or do not specify at all, like when doing request to the IP address directly).
Nginx has such feature already implemented as seen here1, and it would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic such behavior:
ssl_cert = </etc/ssl/dovecot/server.crt ssl_key = </etc/ssl/dovecot/server.key
local_name flopster.at.encryp.ch { ssl_cert = </etc/ssl/domains/flopster.at.encryp.ch/fullchain ssl_key = </etc/ssl/domains/flopster.at.encryp.ch/key }
But in this case the problem is that the invalid requests (for this example it is requests that don't have Server Name Indication at all or mention anything else but not flopster.at.encryp.ch) are still being replied by Dovecot with a TLS certificate rather than being simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com