Hello,
How (if at all) might I configure a Dovecot server to read its SNI configuration dynamically?
Right now I’ve got thousands of domains all served from a quite-large static config file that has to be rebuilt every time a domain is added or removed. It would be much simpler if there were a way to make Dovecot call out to some external service to fetch a given domain’s certificate.
Thank you in advance!
cheers, -Felipe Gasper
On 2021-10-08 00:37, Felipe Gasper wrote:
complexity cost nothing maybe
I’m just asking if there’s a way to configure it dynamically, similarly to how authn can be configured.
sni is not dynamicly secure
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
Thank you!
no problem on suggest more complexity to users / admins that want it
Enh, we already have the complexity because of web hosting. It’s not much more to teach Dovecot to use the certs that httpd uses.
sni is not dynamicly secure
https://dovecot.org/pipermail/dovecot/2013-December/094214.html
SNI’s security problem is that the server name is sent unencrypted. This isn’t really of much concern for mail, though.
Of note, this thread predates the wide public availability of free certificates. We already have logic that re-issues a certificate when domain configurations change; in fact, the overhead of rebuilding Dovecot’s configuration is part of what I’d like to minimize.
-FG
On 2021-10-07, Felipe Gasper <felipe@felipegasper.com> wrote:
It also pre-dates some large mail services requiring SNI, mostly as a result of this client support for SNI is much better now.
One benefit of doing this is that horizontal scaling can be done by moving entire domains to another server and repointing DNS, that way neither a protocol-level proxy nor client config changes are needed. It's not suitable for every mail service but there are credible reasons to use SNI here.
participants (3)
-
Benny Pedersen
-
Felipe Gasper
-
Stuart Henderson