Hello,
How (if at all) might I configure a Dovecot server to read its SNI configuration dynamically?
Right now I’ve got thousands of domains all served from a quite-large static config file that has to be rebuilt every time a domain is added or removed. It would be much simpler if there were a way to make Dovecot call out to some external service to fetch a given domain’s certificate.
Thank you in advance!
cheers, -Felipe Gasper
On Oct 7, 2021, at 15:11, Benny Pedersen me@junc.eu wrote:
On 2021-10-07 14:49, Felipe Gasper wrote:
Dovecot call out to some external service to fetch a given domain’s certificate.
sni is something no one needs, your server name is not changing if you got a new custommer
Rest assured, it’s of great use to us.
I’m just asking if there’s a way to configure it dynamically, similarly to how authn can be configured.
Thank you!
-FG
On 2021-10-08 00:37, Felipe Gasper wrote:
Dovecot call out to some external service to fetch a given domain’s certificate.
sni is something no one needs, your server name is not changing if you got a new custommer
Rest assured, it’s of great use to us.
complexity cost nothing maybe
I’m just asking if there’s a way to configure it dynamically, similarly to how authn can be configured.
sni is not dynamicly secure
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
Thank you!
no problem on suggest more complexity to users / admins that want it
On Oct 7, 2021, at 7:47 PM, Benny Pedersen me@junc.eu wrote:
On 2021-10-08 00:37, Felipe Gasper wrote:
Dovecot call out to some external service to fetch a given domain’s certificate. sni is something no one needs, your server name is not changing if you got a new custommer Rest assured, it’s of great use to us.
complexity cost nothing maybe
Enh, we already have the complexity because of web hosting. It’s not much more to teach Dovecot to use the certs that httpd uses.
sni is not dynamicly secure
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.
-FG
On 2021-10-07, Felipe Gasper felipe@felipegasper.com wrote:
On Oct 7, 2021, at 7:47 PM, Benny Pedersen me@junc.eu wrote:
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.
It also pre-dates some large mail services requiring SNI, mostly as a result of this client support for SNI is much better now.
One benefit of doing this is that horizontal scaling can be done by moving entire domains to another server and repointing DNS, that way neither a protocol-level proxy nor client config changes are needed. It's not suitable for every mail service but there are credible reasons to use SNI here.
participants (3)
-
Benny Pedersen
-
Felipe Gasper
-
Stuart Henderson