Any update on lazy load SNI?
Hi folks,
We need to use SNI with Dovecot at a relatively large scale and I was wondering if there's any update on the ability to:
1 - Lazy load SNI certificates when they are needed instead of loading them all at once during startup/reload, thus taking a lot of memory and being very slow. 2 - Not having to reload Dovecot every time a new domain cert is added in conf. 3 - Or at least have Dovecot keep processing clients while the slow reload happens.
This has been asked already in a 2016 thread: https://www.dovecot.org/pipermail/dovecot/2016-November/106075.html.
Regarding point 3 there's a reply from Aki saying it was in the internal tasklist ( https://www.dovecot.org/pipermail/dovecot/2016-November/106089.html).
Anybody knows if some progress has been made on these subjects? I can't anything in the docs or any recent information anywhere else.
Thanks,
-- Pierre Allétru 06 70 55 08 35 pierre.alletru@gmail.com
What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot, and use lua to dynamically load certificates using sni.
We have a large userbase (100k+) and works without issues, except that it does not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users using autodiscover/autoconfig or as a fallback it is the default config in most user agents.
Hope it helps Joel Chornik
On 3 Nov 2022, at 10:24, Pierre Allétru <pierre.alletru@gmail.com> wrote:
Pierre Allétru
Thank you for the information Joel, very helpful! We've started doing the exact same thing actually, with good ol' ssl_certificate_by_lua, until we realized this wouldn't work with STARTTLS/STLS.
We'd like that to work though and we can't seem to find a solution if Dovecot can't smoothly handle SNI at scale.
-- Pierre Allétru 06 70 55 08 35 pierre.alletru@gmail.com
Le jeu. 3 nov. 2022, 14:32, Joel A. Chornik <joel.chornik@gmail.com> a écrit :
What we do is have openresty(nginx) sit as a reverse proxy on top of dovecot, and use lua to dynamically load certificates using sni.
We have a large userbase (100k+) and works without issues, except that it does not work with STARTTLS, only IMAP+TLS. Has not been an issue, as we setup users using autodiscover/autoconfig or as a fallback it is the default config in most user agents.
Hope it helps Joel Chornik
On 3 Nov 2022, at 10:24, Pierre Allétru <pierre.alletru@gmail.com>
wrote:
Pierre Allétru
participants (2)
-
Joel A. Chornik
-
Pierre Allétru