[feature request] SSL handshake rejection for non-SNI clients
I would like to offer to implement a feature to reject SSL handshakes for a default certificate-key pair for efficiently discarding bot requests (i.e. such requests that provide invalid/not configured hostname or do not specify at all, like when doing request to the IP address directly).
Nginx has such feature already implemented as seen here1, and it would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic such behavior:
ssl_cert =
local_name flopster.at.encryp.ch { ssl_cert =
But in this case the problem is that the invalid requests (for this example it is requests that don't have Server Name Indication at all or mention anything else but not flopster.at.encryp.ch) are still being replied by Dovecot with a TLS certificate rather than being simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
It gets worse! If you request a client certificate, Dovecot will not check the name on the certificate, only that it is signed by a known CA. I raised this issue on this list some time ago and got no response. I'm not sure anyone is listening.
On 16/05/2023 7:54 pm, Serg via dovecot wrote:
I would like to offer to implement a feature to reject SSL handshakes for a default certificate-key pair for efficiently discarding bot requests (i.e. such requests that provide invalid/not configured hostname or do not specify at all, like when doing request to the IP address directly).
Nginx has such feature already implemented as seen here1, and it would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic such behavior:
ssl_cert =
local_name flopster.at.encryp.ch { ssl_cert =
But in this case the problem is that the invalid requests (for this example it is requests that don't have Server Name Indication at all or mention anything else but not flopster.at.encryp.ch) are still being replied by Dovecot with a TLS certificate rather than being simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
Hi!
We are indeed listening. And Dovecot actually can check the name on the certificate, if you ask it to do so.
https://doc.dovecot.org/settings/core/#core_setting-auth_ssl_username_from_c...
Aki
On 16/05/2023 14:58 EEST Sean Gallagher sean@teletech.com.au wrote:
It gets worse! If you request a client certificate, Dovecot will not check the name on the certificate, only that it is signed by a known CA. I raised this issue on this list some time ago and got no response. I'm not sure anyone is listening.
On 16/05/2023 7:54 pm, Serg via dovecot wrote:
I would like to offer to implement a feature to reject SSL handshakes for a default certificate-key pair for efficiently discarding bot requests (i.e. such requests that provide invalid/not configured hostname or do not specify at all, like when doing request to the IP address directly).
Nginx has such feature already implemented as seen here1, and it would be beneficial if dovecot would support this too.
Currently I am using the following SSL configuration snippet to mimic such behavior:
ssl_cert =
local_name flopster.at.encryp.ch { ssl_cert =
But in this case the problem is that the invalid requests (for this example it is requests that don't have Server Name Indication at all or mention anything else but not flopster.at.encryp.ch) are still being replied by Dovecot with a TLS certificate rather than being simply rejected with a TLSV1_UNRECOGNIZED_NAME error code.
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
A new thread so as not to hijack Serg's request.
In my config, I forward deliveries to Dovecot over LMTPS. The machine (there is just one for now) forwarding the mail has a certificate from a well known and trusted CA. How can I configure Dovecot to accept mail deliveries from that one machine?
Currently I have:
protocol lmtp{ login_trusted_networks = 192.168.x.y 0011:2233:4455:6677:8899:aabb:ccdd:eeff auth_ssl_require_client_cert = yes ssl_verify_client_cert = yes ssl_ca = (a private - single purpose CA) ...
The IP addresses are the addresses of the LMTPS client machine.
I have a created a CA for the sole purpose of signing the certificate of the LMTPS client. I regard this as a horrible horrible kludge.
I would like to be able to set ssl_ca to the root certificate of the public trusted CA but can't work out how to get Dovecot to check the name on the certificate.
Any help would be greatly appreciated.
Sean.
-- This email has been checked for viruses by AVG antivirus software. www.avg.com
participants (3)
-
Aki Tuomi
-
Sean Gallagher
-
Serg