Dovecot 2.4.0 multiple hosts SNI configuration regression
Hello everyone.
We are testing out Dovecot 2.4.0 and noticed a regression in how the
local_name filter with multiple space-separated host names works.
For example, having the following dovecot.conf:
...
ssl_server_cert_file = /etc/dovecot/global.cert
ssl_server_key_file = /etc/dovecot/global.key
ssl_server_dh_file = /etc/dovecot/dh.pem
...
local_name "server.example.com mail.example.com" {
ssl_server_cert_file = /etc/dovecot/example.com.cert
ssl_server_key_file = /etc/dovecot/example.com.key
}
local_name "good.example.org" {
ssl_server_cert_file = /etc/dovecot/example.org.cert
ssl_server_key_file = /etc/dovecot/example.org.key
}
...
Connection to server.example.com:993 (with SNI support) does not work
as expected. The global certificate from the global.cert file is
used, and validation fails.
However, connection to good.example.org:993 (with SNI support) works
fine. The example.org.cert file is used.
The doveconf tool thinks the example configuration should work,
hinting that this is likely to be a bug. Example:
# doveconf -f local_name=mail.example.com ssl_server
ssl_server {
cert_file = /etc/dovecot/example.com.cert
dh_file = /etc/dovecot/dh.pem
key_file = /etc/dovecot/example.com.key
}
The results show correct file paths, but the dovecot server is not
using them.
Any confirmation if this is really a bug, or maybe an intended configuration syntax change (to force repeating the local_name blocks for each hostname) would be really appreciated. Thanks.
-- Julius
On 26. Feb 2025, at 18.27, Julius Kriukas via dovecot <dovecot@dovecot.org> wrote:
Hello everyone.
We are testing out Dovecot 2.4.0 and noticed a regression in how the
local_namefilter with multiple space-separated host names works.For example, having the following dovecot.conf:
... ssl_server_cert_file = /etc/dovecot/global.cert ssl_server_key_file = /etc/dovecot/global.key ssl_server_dh_file = /etc/dovecot/dh.pem ... local_name "server.example.com mail.example.com" { ssl_server_cert_file = /etc/dovecot/example.com.cert ssl_server_key_file = /etc/dovecot/example.com.key }
I had completely forgotten that there was such a feature. Looks like it was added by:
commit fb13dfaa903c5efb492e993888aa444138001e8e Author: J. Nick Koston <nick@cpanel.net> Date: Thu Dec 1 01:38:02 2016 -0600
config: Match multiple names in local_name
This can significantly reduce memory usage when using
a UCC certificate with multiple names by only loading
the certificate and key once.I don't think there is much of a benefit anymore with v2.4, since the certificate and keys are accessed via mmap()ed binary config file. So although the cert/key are duplicated there, that happens only once per server, not once per process.
I don't think this syntax was even documented anywhere?
The
doveconftool thinks the example configuration should work, hinting that this is likely to be a bug. Example:# doveconf -f local_name=mail.example.com ssl_server ssl_server { cert_file = /etc/dovecot/example.com.cert dh_file = /etc/dovecot/dh.pem key_file = /etc/dovecot/example.com.key }
This is also somewhat accidental, because I preserved this filtering code.
Any confirmation if this is really a bug, or maybe an intended configuration syntax change (to force repeating the local_name blocks for each hostname) would be really appreciated. Thanks.
Seems like just extra complexity to me with an ugly syntax. Unless someone convinces me otherwise, I think I'll just remove all traces of it.
On 26/02/2025 18:31, Timo Sirainen via dovecot wrote:
I don't think there is much of a benefit anymore with v2.4, since the certificate and keys are accessed via mmap()ed binary config file. So although the cert/key are duplicated there, that happens only once per server, not once per process.
(Unrelated to thread author question)
Looks interesting - so now only one copy of config will be kept in memory (worst case) and that's shared among all dovecot processes, without exceptions ?
I wonder if 2.4 can now handle xy or xyz thousands of certs etc without killing the machine or require tons of resources?
(2.3 was not able to do that in sane way - https://dovecot.org/list/dovecot/2016-October/105855.html )
-- Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )
On 2/26/25 19:31, Timo Sirainen via dovecot wrote:
Seems like just extra complexity to me with an ugly syntax. Unless someone convinces me otherwise, I think I'll just remove all traces of it.
If it has no performance benefits anymore, then removing it would indeed make config syntax simpler.
I think it would also be an improvement if Dovecot would throw a configuration error if such syntax is detected (host name with spaces).
Thanks for the clarification.
-- Julius Kriukas
participants (3)
-
Arkadiusz Miśkiewicz
-
Julius Kriukas
-
Timo Sirainen